Korean Investigators:  33,673,817 User Account Records Leaked in Coupang Breach

By Lee Sang-ki
Former President of Asia Journalist Association
Publisher of The AsiaN

SEOUL: South Korea’s Ministry of Science and ICT said on Feb. 10 that a joint public-private investigation confirmed a major data breach at e-commerce giant Coupang, exposing 33,673,817 user account records, including names and emails.

The attacker, a former Coupang software developer of Chinese nationality, accessed the company’s systems from April 14 to Nov. 8, 2024, using automated web-crawling tools.

Investigators found he viewed pages containing phone numbers, delivery addresses, and shared-entry passwords 148.05 million times, suggesting the actual leakage could be larger. Authorities said “viewing equals leakage,” although no payment information was compromised.

According to the investigation, “the attacker” was a former Coupang employee who had developed user authentication software, stole a signing key from an authentication system, conducted tests for the attack and then used web-crawling tools to copy large volumes of data.

Signing keys must be stored only within the management system and not on employees’ personal PCs, Coupang’s internal rules stipulate.

Coupang faces penalties for delayed reporting and alleged violations of evidence-preservation orders. The final number of leaked records will be determined by the Personal Information Protection Commission.