- What: A former Coupang engineer's still-valid credentials were used to access 33.7 million customer accounts, discovered November 18, 2025.
- Impact: The company disclosed to the SEC 28 days later, a shareholder class action followed two days after that, and a Korean subsidiary CEO resigned.
- Fix / mitigation: Revoke privileged access at offboarding, monitor for dormant-credential reuse, and keep a pre-drafted 8-K disclosure playbook on a 4-business-day clock.
- Who's at risk: Any public company whose offboarding and incident-disclosure processes are not wired to the same clock as the SEC's.
A 43-year-old Chinese national, hired in November 2022, helped build Coupang's authentication management systems. He left in 2024. According to a US investor lawsuit, his credentials stayed valid for nearly six months after he walked out, and on November 18, 2025 they were used to reach 33.7 million customer accounts at Korea's largest e-commerce company. (CSO Online.)
That part is almost mundane. A privileged account that should have been killed at offboarding wasn't, and it became the door. What turned a deprovisioning miss into a securities case was what happened next: Coupang waited.
The offboarding gap
The account belonged to someone who had worked directly on authentication management, so it carried exactly the kind of access an attacker wants. It kept working long after the person did, for close to six months. A dormant, highly privileged credential sitting live for half a year is not a sophisticated attack surface. It is a checklist item that nobody owned.
Nobody tied credential revocation to the day the badge was returned. Offboarding was an HR event, not a security one, and the two systems never talked to each other.
The 28 days that became the story
Under SEC rules, a public company must report a material cybersecurity incident within four business days on Form 8-K (Item 1.05). Coupang discovered the breach on November 18, 2025. The filing was due around November 24. It landed on December 16, a 28-day delay.
Two days later, on December 18, shareholders filed Barry v. Coupang, Inc. et al, naming CEO Bom Kim and CFO Gaurav Anand over a class period running from August 6 to December 16, 2025. On December 10, Park Dae-jun, who ran the South Korean operation, had already resigned, with Harold Rogers stepping in as interim head of the subsidiary. Korean regulators can levy fines reported as high as 1.2 trillion won, roughly $814 million.
The RedEye take
The hack is not the interesting part of this story, and pretending it is misses the lesson. Dormant credentials get exploited every week. What made Coupang a case study is that the disclosure clock is now a security control, and the company treated it like a communications decision. In 2026, how fast you can say "we were breached" is part of your attack surface. The four-business-day window means the decision to disclose has to be pre-made, with the legal, finance, and security teams already holding a template, because you do not have 28 days to convene a committee.
What defenders should learn
- Wire credential revocation to the offboarding event itself. The moment HR marks a departure, privileged access should be killed automatically, not on a quarterly access review.
- Treat departed-employee accounts as a monitored class. Any authentication from a credential belonging to someone who has left is an incident until proven otherwise.
- Hunt for dormant-credential reuse and impossible travel. A login from an account that has been idle for months, or from a new geography, is the exact signal that was available here.
- Pre-draft the 8-K. Keep a materiality decision tree and a disclosure template ready so the 4-business-day clock is a fill-in-the-blanks exercise, not a scramble.
- Run the clock in tabletop exercises. If your incident response drill does not include a stopwatch against the SEC window, you are rehearsing the wrong half of the problem.
Caver flags authentication from a credential that has been dormant for months, correlates it with impossible-travel and off-hours access, and raises a risk-based alert the moment a former engineer's account comes back to life, well before 33.7 million records move.
The breach cost Coupang a subsidiary CEO and a shareholder lawsuit. The credential was free to fix. The silence was not.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us