There are claims that poor management of long-valid authentication keys was behind the large-scale customer data leak at Coupang. Because the signing keys issued to authentication-related staff were not rotated, access remained open for former employees, and analysts say this gap led to a massive leak.
According to materials submitted by Coupang to Rep. Choi Min-hee's office of the Democratic Party of Korea on the Science. ICT. Broadcasting. and Communications Committee on the 1st, Coupang said, "We understand that there are many cases where the valid authentication period for token signing keys is set at 5–10 years," adding, "The rotation period is long and varies widely by key type."
If the token needed for login is a one-time pass that opens the door to access data, the signing key serves as a kind of stamp that issues the pass. Even though tokens are generated and immediately discarded in Coupang's login system, the office said internal staff exploited the fact that the signing information needed to generate tokens was not deleted or rotated when responsible employees left the company.
The office said, "Renewing signing keys is the most basic internal procedure, yet Coupang did not follow it," adding, "Leaving long-valid authentication keys unattended is not a simple case of an employee going rogue but the result of organizational and structural problems at Coupang, which neglected its authentication framework."
The large-scale Coupang customer information leak is believed to involve a former employee of Chinese nationality. The person, a developer, is increasingly suspected of having siphoned customer information from China after leaving the company by using tokens obtained while employed.