It was found that the attacker in the Coupang personal-data leak extracted users’ personal information through abnormal access, including viewing the delivery-address list pagecontaining names·phone numbers·addressesabout 148 million times. On the “Edit My Info” page, name·email information for 33.67 million records was found to have been leaked. The Personal Information Protection Commission will finalize the detailed scope of the personal-data leak at a later date.

On the 10th, the Ministry of Science and ICT announced the findings of a joint public-private investigation team into the Coupang breach. Earlier, the incident erupted when a former employee of Chinese nationality, identified as Mr. A, who had handled authentication system development at Coupang, leaked users’ personal information on a massive scale.

According to the team, the attacker sent Coupang two emails on November 16 and 25 last year stating that information had been exfiltrated. The attacker claimed to have leaked more than 120 million delivery-address data, more than 560 million order data, and more than 33 million email address data.

The team stated, “After the attacker leaked names·emails from Coupang’s Edit My Info page, names·phone numbers·addresses·shared-entrance passwords from the delivery-address list page, and information on items users ordered from the order list page, they included part of that data in an email sent to Coupang.”

The team also confirmed, through analysis of Coupang’s web and application access records (logs), that user information was leaked from pages including Edit My Info, the delivery-address list, and the order list.

From the Edit My Info page, it verified that 33,673,817 user records containing name and email were leaked.

Additionally, the attacker viewed the delivery-address list pagewhich contains name, phone number, delivery address, and shared-entrance passwords masked with special characters148,056,502 times to siphon information. The delivery-address list page contains a large amount of information not only about the account holder but also about third parties such as family and friends, including their names, phone numbers, and delivery addresses.

The page for editing the delivery-address list, which includes shared-entrance passwords in addition to name, phone number, and delivery address, was also viewed 50,474 times. The order list page, which shows a user’s recently ordered items, was viewed 102,682 times.

The team said, “We estimated the scale of the leak based on web access records and other sources,” adding, “The Personal Information Protection Commission will later finalize and announce the size of the personal-data leak.”

It was found that the attacker exploited an authentication vulnerability on Coupang’s servers to access user accounts abnormally without a normal login and exfiltrate information without authorization.

Under normal usage, a user goes through the login process to receive an “electronic pass.” Coupang’s gateway server verifies whether the issued electronic pass is valid and, if there is no issue, allows access to the service.

The attacker stole the signing key of the user authentication system they had administered while employed, then used it to forge·alter electronic passes and bypass Coupang’s authentication framework. As a result, they were able to access Coupang’s services without going through the normal login procedure.

The team pointed out that Coupang’s information protection management system, including its user authentication framework and key management, was inadequate. Legal violations also occurred, including delayed incident reporting and noncompliance with data-preservation orders.

Based on the team’s findings, the Ministry of Science and ICT will require Coupang to submit, by this month, an implementation plan for recurrence-prevention measures and will check whether it is carried out. For items needing improvement identified through the implementation review, corrective action will be ordered under the Information and Communications Network Act.