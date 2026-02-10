A former Coupang employee accessed tens of millions of user records over seven months by forging internal authentication keys — an incident the Korean government has deemed the most serious data breach to ever hit the country’s e-commerce sector.

The Ministry of Science and ICT on Tuesday announced findings from a joint public-private investigation. Officials described the case as a major breach targeting the nation’s largest online retailer and pointed to the sheer volume of data compromised.

More than 33.67 million user records, including names and email addresses, were leaked through Coupang’s personal information editing page, according to the ministry. The figure announced by the investigation team on Tuesday did not include an additional account breach disclosed by Coupang last week.

Coupang earlier said that personal data — including names, addresses and order histories — had been leaked from about 33.7 million user accounts in late November. The company separately said last week that another 165,455 user accounts had been affected.

The company’s delivery address list page was accessed more than 148 million times, resulting in the leak of names, phone numbers and street addresses. Around 50,000 views were recorded on a page for editing delivery information that included main-door passcodes for shared residential entrances. The order history page saw about 100,000 accesses.

"The scale of the breach was estimated based on web access logs and other related records, and the final scope of the personal data leak will be confirmed and announced later by the Personal Information Protection Commission," Choi Woo-hyuk, director general of cybersecurity and network policy bureau at the ICT Ministry said during a press briefing at Government Complex Seoul.

The breach occurred between April and November last year. The central figure was a former developer who had worked on Coupang’s user authentication system. While employed, the individual obtained a signing key. That key was later used to forge what investigators referred to as an “electronic access badge,” granting access to user accounts without going through normal login procedures.

Using automated tools, the attacker scraped large volumes of sensitive data, investigators said, adding that more than 2,300 IP addresses were used in the process. The abnormal activity continued for months without being detected.

The investigation pointed to deep flaws in Coupang’s internal credential management. Forged credentials were not subject to verification, and signing keys belonging to former employees were neither revoked nor rotated. Despite the departure of the employees, some signing keys continued to be used in system operations, and investigators found that keys had also been stored on developer PCs.

Coupang also violated its legal obligation to report the breach within 24 hours. The company submitted the report nearly two days late and is set to be fined up to 30 million won ($20,600) under the information network law. In a more serious violation, certain access logs were deleted even after the government had issued a formal order to preserve all related records.

The investigation team urged Coupang to tighten controls over the issuance and use of authentication keys, strengthen monitoring to detect abnormal access, and carry out regular checks to ensure compliance with its own security rules.

It also referred the matter for investigation after Coupang failed to comply with a data preservation order issued on Nov. 19 last year, leading to the deletion of roughly five months’ worth of web access logs from July 2024 and the loss of application access records covering late May to early June.

Based on the findings, the ICT Ministry has requested that Coupang submit an implementation plan for preventive measures later this month and said it will review the results of those measures by July.