INSIDER THREAT & DISCLOSURE

Coupang's Breach Wasn't the Hack. It Was the 28 Days of Silence.

A departed engineer kept valid credentials for nearly six months, then 33.7 million Coupang accounts were reached. But the breach isn't what triggered the shareholder lawsuit. The 28-day delay in telling the SEC did.

Matt Lucas  |  July 11, 2026  |  6 min
Coupang's Breach Wasn't the Hack. It Was the 28 Days of Silence. — editorial hero illustration
33.7M
customer accounts exposed
28 days
delay vs the 4-day SEC rule
~6 months
a departed engineer kept live credentials
$814M
potential Korean regulatory fine
TL;DR
  • What: A former Coupang engineer's still-valid credentials were used to access 33.7 million customer accounts, discovered November 18, 2025.
  • Impact: The company disclosed to the SEC 28 days later, a shareholder class action followed two days after that, and a Korean subsidiary CEO resigned.
  • Fix / mitigation: Revoke privileged access at offboarding, monitor for dormant-credential reuse, and keep a pre-drafted 8-K disclosure playbook on a 4-business-day clock.
  • Who's at risk: Any public company whose offboarding and incident-disclosure processes are not wired to the same clock as the SEC's.

A 43-year-old Chinese national, hired in November 2022, helped build Coupang's authentication management systems. He left in 2024. According to a US investor lawsuit, his credentials stayed valid for nearly six months after he walked out, and on November 18, 2025 they were used to reach 33.7 million customer accounts at Korea's largest e-commerce company. (CSO Online.)

That part is almost mundane. A privileged account that should have been killed at offboarding wasn't, and it became the door. What turned a deprovisioning miss into a securities case was what happened next: Coupang waited.

The offboarding gap

The account belonged to someone who had worked directly on authentication management, so it carried exactly the kind of access an attacker wants. It kept working long after the person did, for close to six months. A dormant, highly privileged credential sitting live for half a year is not a sophisticated attack surface. It is a checklist item that nobody owned.

The real vulnerability

Nobody tied credential revocation to the day the badge was returned. Offboarding was an HR event, not a security one, and the two systems never talked to each other.

The 28 days that became the story

Under SEC rules, a public company must report a material cybersecurity incident within four business days on Form 8-K (Item 1.05). Coupang discovered the breach on November 18, 2025. The filing was due around November 24. It landed on December 16, a 28-day delay.

Two days later, on December 18, shareholders filed Barry v. Coupang, Inc. et al, naming CEO Bom Kim and CFO Gaurav Anand over a class period running from August 6 to December 16, 2025. On December 10, Park Dae-jun, who ran the South Korean operation, had already resigned, with Harold Rogers stepping in as interim head of the subsidiary. Korean regulators can levy fines reported as high as 1.2 trillion won, roughly $814 million.

The RedEye take

The hack is not the interesting part of this story, and pretending it is misses the lesson. Dormant credentials get exploited every week. What made Coupang a case study is that the disclosure clock is now a security control, and the company treated it like a communications decision. In 2026, how fast you can say "we were breached" is part of your attack surface. The four-business-day window means the decision to disclose has to be pre-made, with the legal, finance, and security teams already holding a template, because you do not have 28 days to convene a committee.

What defenders should learn

How Caver would catch this

Caver flags authentication from a credential that has been dormant for months, correlates it with impossible-travel and off-hours access, and raises a risk-based alert the moment a former engineer's account comes back to life, well before 33.7 million records move.

The breach cost Coupang a subsidiary CEO and a shareholder lawsuit. The credential was free to fix. The silence was not.

Questions about your exposure?

RedEye Security provides assessments for organizations that need to understand their real risk.

Talk to us