Coupang Data Breach: How 33 Million User Records Were Exposed and What You Need to Know
Daniel Kim Views
A former Coupang employee has leaked personal information on a massive scale, surpassing the government’s initial estimate of 33 million records. The breach extends to delivery addresses and other sensitive data, affecting a staggering 150 million records.
On February 10, the Ministry of Science and ICT held a press conference at the Seoul Government Complex to announce preliminary findings from a joint public-private investigation into the Coupang data breach.
The ministry analyzed 25.6 terabytes (TB) of Coupang’s web access logs, containing 664.2 billion data points, dating back to November 29 of last year. Their investigation confirmed that over 33.67 million records, including user names and email addresses, were compromised through Coupang’s “My Information” edit page.
While initial estimates put the breach at 33.7 million records, further investigation revealed the actual number to be slightly lower at 33.67 million.
The investigation also uncovered that the perpetrator accessed the “Delivery Address List” page approximately 148 million times, potentially exposing names, phone numbers, delivery addresses, and encrypted shared entrance passwords.
This compromised data not only includes account holders’ information but also that of family members and friends who made purchases on their behalf, potentially widening the scope of affected individuals.
The investigation team refrained from specifically identifying the perpetrator as Chinese. However, they noted that the individual exploited vulnerabilities in user authentication to access accounts without proper login procedures, leading to the extensive data breach. The team criticized Coupang for failing to detect this unauthorized access.
Moreover, the investigation revealed that Coupang was aware of the potential security risks associated with improperly issued electronic entry passes (tokens) but failed to address the issue.
In response to these findings, the Ministry of Science and ICT has mandated that Coupang submit a comprehensive plan to prevent future breaches by the end of this month. The ministry will then review the implementation of these measures by July of this year.
Most Commented