Home > National > Social Affairs

Even order histories and entry passwords? Coupang leaked far more than just basic data, says Science Ministry

Published: 10 Feb. 2026, 17:20 Updated: 10 Feb. 2026, 19:37

Harold Rogers, interim CEO of Coupang, arrives for a second round of police questioning at the Seoul Metropolitan Police Agency in Mapo District, western Seoul, on Feb. 6. [NEWS1]

Coupang’s data breach exposed far more than basic customer details, investigators said Tuesday, revealing large-scale unauthorized access to delivery addresses, shared building entry passwords, recent order histories and even personal information of users’ acquaintances.

The Ministry of Science and ICT released the findings of a joint public-private investigation into the Coupang hacking incident at the Government Complex in central Seoul. The announcement comes 72 days after the team was formed on Nov. 30, 2025.

Coupang said it detected the breach on Nov. 17, 2025, and reported it to the Korea Internet & Security Agency (KISA) two days later, on Nov. 19.

The investigation mapped out the full scope of the leak by analyzing access logs from Coupang’s website and mobile app. Investigators found that sensitive data was accessed repeatedly through user pages, including the “profile information,” “delivery address list” and “order list” pages.

About 33.67 million user records — including names and email addresses — were confirmed to have been leaked through user profile information pages. Delivery address list pages were accessed about 148 million times. That page contains names, phone numbers, delivery addresses and shared building entrance passwords, which are partially masked with special characters.

In many cases, the delivery address data also included personal information of third parties, such as family members or friends who received packages on behalf of users. Order list pages, which show recently purchased items, were accessed more than 100,000 times, the ministry said.

Investigators identified the attacker as a software developer — a staff-level back-end engineer — who, while employed at Coupang, was responsible for designing and developing the user authentication system used as a backup in the event of system disruptions.

Coupang's headquarters in Songpa District, southern Seoul, is seen on Jan. 29. [NEWS1]

The attacker allegedly stole a signing key from the authentication system he managed while at the company, then used it to forge an “electronic entry pass” to get through Coupang’s authentication process. This allowed unauthorized access to Coupang services without going through standard login procedures.

The investigation team also pointed out that Coupang lacked a verification process to detect forged entry passes and that its management of signing keys held by former employees was inadequate. Coupang had identified vulnerabilities in the overall entry-pass authentication system through penetration testing, but failed to address the underlying issues, the team said.

The Science Ministry plans to impose an administrative fine on Coupang for reporting the incident more than 24 hours after becoming aware of it. Under the Information and Communications Network Act, companies must report a security breach to the Ministry of Science and ICT or KISA within 24 hours of detection.

Coupang’s chief information security officer received a report at 4 p.m. on Nov. 17, 2025, but the company reported the incident to KISA at 9:35 p.m. on Nov. 19, 2025.

The ministry has also requested a law enforcement investigation into Coupang’s alleged violation of a government data preservation order. Despite the order, Coupang did not adjust its automatic log retention policy, resulting in the deletion of about five months of web access logs from July to November 2024. App access logs for May 23 to June 2, 2025, were also deleted.

[MINISTRY OF SCIENCE AND ICT]

Based on the findings, the ministry plans to require Coupang to submit an implementation plan for measures to prevent a recurrence and to check compliance.

Separately, the Personal Information Protection Commission is investigating the scope of the leak and whether any laws were violated under the Personal Information Protection Act. The National Police Agency is also conducting its own investigation.

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY KANG KWANG-WOO [[email protected]]