Park Dae-jun, CEO of Coupang, bows his head in apology as he attends the 18th full session of the 429th National Assembly (regular session) Science. ICT. Broadcasting. and Communications Committee at the National Assembly in Yeouido, Seoul, on the 2nd. /Courtesy of News1

Bran Metis, Coupang's chief information security officer (CISO), said on the 2nd that, regarding the leak of Coupang members' personal information, "a person believed to be the attacker used a stolen signing key to sign the real key and impersonated another user."

Metis, the CISO, explained this in response to Reform Party lawmaker Lee Jun-seok's question, "How did the attacker access the databases and obtain information," at the 18th full meeting of the Science. ICT. Broadcasting. and Communications Committee held that day at the National Assembly.

Lee asked the CISO, "We must determine whether this attack was aimed at stealing customer information or at taking over Coupang's entire system," and asked, "What is the nature of the authentication key that was misused for the crime?"

In response, the CISO said, "As the person responsible for information security, I know how the technical elements unfolded during the attack, but because the police investigation is ongoing, I cannot comment on the employee's motives."

The CISO explained that the token's cryptographic key that the person believed to be the attacker used "mediates the token that is issued to customers who log in normally to use the service," and is "a technology that allows us to know who the customer is when the customer connects from a device."

The CISO said, "According to the investigation, we do not see that information such as customers' credentials (including authentication keys), hash values, or passwords was exposed," and added, "The person believed to be the attacker used a stolen signing key to actually sign a key and impersonate another user."

The CISO added, "According to the current investigation, the attacker used the stolen signing key to impersonate another user and access the server," and explained, "All Coupang authentication tokens are validated by signing with a private key (encrypted code), but a third party used Coupang's private key to create fake tokens."

The CISO also said, "When the attacker connected to Coupang, they did not use the (APIs) inside Coupang but instead manipulated external APIs," and answered, "They could not access the raw (unprocessed) internal databases of Coupang's systems."

Meanwhile, the CISO said about the motive of the employee who caused the leak, "I cannot answer because a police investigation is underway."

※ This article has been translated by AI. Share your feedback here.