Change your entrance passcode now. Your home address has been compromised 150 million times.
A government investigation into Coupang's data breach revealed that personal information including names, phone numbers, addresses, and building entrance passcodes was accessed 150 million times without authorization. The perpetrator, identified as a Chinese national who previously worked at Coupang, obtained far more data than the initially reported 33 million records. The government concluded that the breach resulted from Coupang's management failures rather than sophisticated hacking.
The Ministry of Science and ICT announced the findings of a joint public-private investigation team at the Seoul Government Complex on Thursday.
The investigation found the perpetrator attacked Coupang from April 14 to November 8 last year over a seven-month period. Approximately 33.67 million user names and email addresses were leaked through Coupang's "Edit My Information" page. The perpetrator also accessed the "Delivery Address List" page approximately 148 million times to extract data. This data included names, phone numbers, delivery addresses, and building entrance passcodes that had been partially masked with special characters. Building entrance passcodes, which raised concerns about potential secondary crimes, were accessed approximately 50,000 times along with names, phone numbers, and addresses through the "Edit Delivery Address" page.
Coupang's inadequate security system was identified as the root cause of the massive breach. According to the investigation team, Coupang failed to detect and block the perpetrator's abnormal access patterns in advance. Furthermore, Coupang did not immediately update its signing keys after the perpetrator, who had worked as a developer on user authentication systems, left the company. Choi Woo-hyuk, Director General of Information Security and Network Policy at the Ministry of Science and ICT, said the ministry "strongly criticized and pointed out the problems with Coupang's authentication system," emphasizing that "this is a management issue, not a sophisticated attack."