 Even order histories and entry passwords? Coupang leaked far more than just basic data, says Science Ministry
Korea JoongAng Daily

Home > National > Social Affairs

print dictionary print

Even order histories and entry passwords? Coupang leaked far more than just basic data, says Science Ministry

Published: 10 Feb. 2026, 17:20
Harold Rogers, interim CEO of Coupang, arrives for a second round of police questioning at the Seoul Metropolitan Police Agency in Mapo District, western Seoul, on Feb. 6. [NEWS1]

Harold Rogers, interim CEO of Coupang, arrives for a second round of police questioning at the Seoul Metropolitan Police Agency in Mapo District, western Seoul, on Feb. 6. [NEWS1]

 
Coupang’s data breach exposed far more than basic customer details, investigators said Tuesday, revealing large-scale unauthorized access to delivery addresses, shared building entry passwords, recent order histories and even personal information of users’ acquaintances. 
 
The Ministry of Science and ICT released the findings of a joint public-private investigation into the Coupang hacking incident at the Government Complex in central Seoul. The announcement comes 72 days after the team was formed on Nov. 30, 2025.  
 

Related Article

 
Coupang said it detected the breach on Nov. 17, 2025, and reported it to the Korea Internet & Security Agency (KISA) two days later, on Nov. 19.
 
The investigation mapped out the full scope of the leak by analyzing access logs from Coupang’s website and mobile app. Investigators found that sensitive data was accessed repeatedly through user pages, including the “profile information,” “delivery address list” and “order list” pages. 
 
About 33.67 million user records — including names and email addresses — were confirmed to have been leaked through user profile information pages. Delivery address list pages were accessed about 148 million times. That page contains names, phone numbers, delivery addresses and shared building entrance passwords, which are partially masked with special characters. 
 
In many cases, the delivery address data also included personal information of third parties, such as family members or friends who received packages on behalf of users. Order list pages, which show recently purchased items, were accessed more than 100,000 times, the ministry said. 
 
Investigators identified the attacker as a software developer — a staff-level back-end engineer — who, while employed at Coupang, was responsible for designing and developing the user authentication system used as a backup in the event of system disruptions.
 
Coupang's headquarters in Songpa District, southern Seoul, is seen on Jan. 29. [NEWS1]

Coupang's headquarters in Songpa District, southern Seoul, is seen on Jan. 29. [NEWS1]

 
The attacker allegedly stole a signing key from the authentication system he managed while at the company, then used it to forge an “electronic entry pass” to get through Coupang’s authentication process. This allowed unauthorized access to Coupang services without going through standard login procedures.
 
The investigation team also pointed out that Coupang lacked a verification process to detect forged entry passes and that its management of signing keys held by former employees was inadequate. Coupang had identified vulnerabilities in the overall entry-pass authentication system through penetration testing, but failed to address the underlying issues, the team said.
 
The Science Ministry plans to impose an administrative fine on Coupang for reporting the incident more than 24 hours after becoming aware of it. Under the Information and Communications Network Act, companies must report a security breach to the Ministry of Science and ICT or KISA within 24 hours of detection.
 
Coupang’s chief information security officer received a report at 4 p.m. on Nov. 17, 2025, but the company reported the incident to KISA at 9:35 p.m. on Nov. 19, 2025.
 
The ministry has also requested a law enforcement investigation into Coupang’s alleged violation of a government data preservation order. Despite the order, Coupang did not adjust its automatic log retention policy, resulting in the deletion of about five months of web access logs from July to November 2024. App access logs for May 23 to June 2, 2025, were also deleted.
 
A Coupang truck is parked in Seoul on Jan. 23. [NEWS1]

A Coupang truck is parked in Seoul on Jan. 23. [NEWS1]

 
Based on the findings, the ministry plans to require Coupang to submit an implementation plan for measures to prevent a recurrence and to check compliance.
 
Separately, the Personal Information Protection Commission is investigating the scope of the leak and whether any laws were violated under the Personal Information Protection Act. The National Police Agency is also conducting its own investigation.


This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY KANG KWANG-WOO [[email protected]]
tags Coupang Korea

More in Social Affairs

Special education teacher's death recognized as work-related by Veterans Affair Ministry

Seoul mayor defends planned Korean War memorial, accuses central gov't of interfering

Cabinet approves change to break up parental leave in week increments

Even order histories and entry passwords? Coupang leaked far more than just basic data, says Science Ministry

Gov't to launch pilot program integrating KTX, SRT high-speed rail services

Related Stories

Coupang says probe into former employee was conducted in close cooperation with gov't

Coupang interim chief questioned for 12 hours over data breach

FTC looks into Coupang bundling food delivery, streaming platform services

Coupang to hike WOW membership fee by 58 percent from Saturday

Large-scale task force to comprehensively examine wide range of allegations against Coupang
Log in to Twitter or Facebook account to connect
with the Korea JoongAng Daily
help-image Social comment?
s
lock icon

To write comments, please log in to one of the accounts.

Standards Board Policy (0/250자)