Particle.news
Download on the App Store
4 ARTICLES
·
2mo ago

Joint Probe Confirms Coupang Breach Exposed 33.6 Million Accounts, Blames Forged Key and Lax Controls

Investigators say a fake authentication pass built from an internal signing key let a former developer bypass logins.

Science Minister Bae Kyung-hoon speaks during a parliamentary session held in Seoul on Feb. 11, 2026. (Yonhap)
Choi Woo-hyuk, director general of the science ministry's cybersecurity bureau, speaks during a press conference in Seoul on Feb. 10, 2026. (Yonhap)
This screenshot of Coupang's website, provided by the Ministry of Science and ICT on Feb. 10, 2026, shows the delivery section including users' names, addresses and phone numbers. (PHOTO NOT FOR SALE) (Yonhap)

Overview

  • South Korea’s science ministry said 33.67 million users’ names and emails were exposed, with the delivery address page viewed about 148 million times revealing names, phone numbers, street addresses and some shared entrance passcodes.
  • The breach ran from April to November 2025 and went undetected as forged tokens functioned like valid credentials, with probes finding unrevoked signing keys, keys stored on developer PCs and inadequate monitoring.
  • Authorities will fine Coupang for reporting nearly two days late after detecting issues on Nov. 17, have referred deleted access logs for criminal investigation and have ordered corrective measures with follow-up inspections slated for June–July.
  • Police are investigating the former developer suspected in the scheme, and the data protection watchdog is reviewing the scope of violations as regulators analyzed 25.6 terabytes of logs to determine exposure.
  • Coupang says there is no evidence of dark‑web circulation or secondary harm and that payment data, passwords and government IDs were not accessed, while acknowledging an additional leak affecting 165,455 accounts not counted in the joint probe’s tally.