Coupang, South Korea’s largest e-commerce platform, disclosed a massive data breach traced to a former employee who retained access to internal systems after leaving the company. The incident serves as a textbook case of how incomplete offboarding and lingering credentials can expose tens of millions of customer records, even when traditional security defenses appear intact.
The breach occurred on June 24, 2025, but remained undetected for nearly five months until November 18, when the company finally discovered the unauthorized access. By the time Coupang went public on December 1, the damage was substantial: personal information belonging to 33.7 million customers had been compromised. That represents essentially the entire active user base of the platform. The exposed data included full names, phone numbers, email addresses, physical addresses, and order information. Importantly, payment details and passwords were not compromised, which limited the immediate financial exposure but did nothing to address the privacy concerns affecting half of South Korea’s population.
What makes this breach particularly instructive is how straightforward the attack vector turned out to be. A dismissed IT specialist who worked for the company took a signed authentication key when departing. That single credential became the critical weak point in Coupang’s security posture. According to company policy, the token signing key validity period was set between 5 and 10 years. This meant the former employee could generate as many authentication tokens as needed and access internal systems while completely bypassing security controls, all from overseas servers. The attacker avoided detection by rotating IP addresses, which allowed the unauthorized access to blend in with normal traffic patterns.
This scenario exposes a cascade of security govern To mitigate these risks, organizations must implement stringent access controls and regularly audit their key management practices. It is essential to enforce a robust offboarding process that extends beyond the removal of primary credentials, ensuring that all associated tokens and secrets are revoked promptly. Furthermore, the validity period of authentication keys should be minimized to reduce the potential for exploitation. By addressing these vulnerabilities, organizations can significantly enhance their security posture and protect sensitive information from unauthorized access. ance failures. The first failure is access provisioning. A developer or IT specialist with the ability to mint, retrieve, or manage authentication keys has essentially unlocked the control plane of the entire organization. They don’t just have access to customer data; they have the keys to generate unlimited credentials that can reach it. The second failure is incomplete offboarding. Removing someone’s primary login or email account is obvious but insufficient. When that person worked on key management systems, every token they could have created, every credential they could have extracted, and every long-lived secret they touched continues to work indefinitely. The third failure is the long validity window itself. A token signing key that remains valid for 5 to 10 years is essentially a perpetual back door. If it falls into the wrong hands or if an ex-employee chooses to use it the organization has years of exposure rather than days.
The timeline of discovery is also telling. Five months passed between the intrusion and detection, which means attackers or a disgruntled former employee had an enormous window to extract, copy, or modify data. By the time investigators began their work, the information could have passed through multiple hands or systems[1][2]. While Coupang stated as of early December that the stolen information had not yet surfaced online, that provides little comfort[1]. Large datasets of PII often take time to monetize; they may be held for leverage, sold quietly in criminal marketplaces, or used for targeted phishing and fraud campaigns long after the breach itself.
For security teams and executives, the Coupang case provides an urgent roadmap of what must change. Joiner-mover-leaver (JML) processes need to be automated, not manual. When an employee departs, that event should trigger simultaneous revocation across the identity provider, cloud IAM systems, SaaS applications, CI/CD platforms, and secrets vaults. API keys, SSH certificates, refresh tokens, and cloud service roles all need to be invalidated within hours. Any credential that the departing employee could have read, modified, or created should be rotated immediately. If someone worked on key management, every signing key they touched should be revoked and reissued.
Privileged access should never be a standing privilege. Administrative functions, key management, and access to production customer data should all be gated behind just-in-time elevation workflows that require explicit approval, strong authentication, device posture verification, and session recording. Separation of duties is not bureaucratic overhead; it is a blast-radius limiter. The engineer who builds the key management system should not also have broad standing access to production databases. The person who provisions API keys should not be able to read arbitrary customer records.
Secrets and keys need a complete reimagining. Long-lived tokens are a liability. Static API keys left in code or configuration files are a timebomb. Instead, secrets should be centralized in a vault, issued with short expiration windows, scoped narrowly to specific use cases, and rotated frequently or automatically. Encryption keys should be managed by HSMs or cloud KMS services; their use should be logged, monitored, and alerted on at any sign of anomalous activity.
Detection is equally critical. User and entity behavior analytics (UEBA) should flag after-hours administrative actions, unusual data extraction patterns, or access attempts from deprovisioned accounts. Logs must be immutable and tamper-resistant so that investigators can reconstruct timelines with confidence. Most organizations should run “leaver drills” that simulate a rapid departure of their most privileged engineer and measure how long it takes to revoke every credential and rotate every reachable secret. If the answer is not measured in hours, the process needs to be redesigned.
Governance closes the loop. Quarterly access reviews for all privileged roles and service accounts prevent permission creep. Security training for engineers working on identity systems, data pipelines, and key management should make explicit the unique trust and responsibility that come with those roles. Third-party red teams should specifically target offboarding flows, credential rotation, CI/CD pipelines, and service-account governance, the places where residual access prefers to hide. Leadership should track simple, visible metrics: orphaned identities, average token age, key rotation frequency, and time-to-revoke. What gets measured gets fixed.
For organizations staring at their own access landscapes right now, there is no time like the present. Conduct a company-wide audit of departed employees from the last two years and hunt for orphaned accounts, abandoned credentials, and forgotten cloud roles. Rotate secrets and encryption keys anywhere those people had access. Accelerate the implementation of just-in-time access for sensitive operations. Convert standing administrative access to short-lived, approved workflows. Automate offboarding so that HR events trigger identity deprovisioning without delay. Stand up dashboards that track your progress toward a lower-risk state and make that progress visible to leadership.
The Coupang breach is not a story about a malicious mastermind. It is a story about process failure at scale, which is both sobering and actionable. The companies that prevent the next version of this headline will be those that treated access revocation with the same urgency they treat intrusion detection, automated offboarding across every system, proved through regular drills and immutable logs that can invalidate every path of access in hours, not weeks. That is the standard to aspire to, and it is well within reach.
