“Urgent Overhaul Needed for Overall Security System, Including Key Rotation”, There has been a claim that the leakage of 33.7 million pieces of personal information from Coupang occurred because the valid authentication key for signed access tokens used for login authentication was left unattended for an extended period.,
,
,
![Choi Min-hee, Chair of the National Assembly's Science, ICT, Broadcasting, and Communications Committee. [Photo: Office of Representative Choi Min-hee]](https://imgnews.pstatic.net/image/031/2025/12/01/0000985280_001_20251201101106338.jpg?type=w860)
Choi Min-hee, Chair of the National Assembly’s Science, ICT, Broadcasting, and Communications Committee. [Photo: Office of Representative Choi Min-hee],
,
, On the 1st, materials submitted by Coupang to Choi Min-hee, Chair of the National Assembly’s Science, ICT, Broadcasting, and Communications Committee, revealed that Coupang, while being reserved about the specific validity period of the key exploited in hacking due to an ongoing police investigation, responded regarding the validity period of token signing keys, “I am aware that it is often set to 5-10 years,” and “The rotation period is long and varies greatly depending on the key type.”
,
, It was suggested that signed information required for token generation was not deleted or updated upon the resignation of responsible employees, allowing internal employees to potentially exploit it. Chairman Choi stated, “Even if you have an entrance badge, you cannot enter without an authorization stamp. However, allowing the signing key to remain unattended for so long is akin to someone continuously stamping and using it secretly.”
,
, This incident is also linked to the recent controversy over the KT femtocell authentication key being unattended for 10 years. It has been pointed out that major ICT companies in Korea are repeatedly found negligent in managing long-term valid authentication keys.
,
, Chairman Choi criticized, “Renewing the signing key is one of the most basic internal security procedures, yet Coupang failed to observe it. Leaving long-term valid authentication keys unattended is not merely a deviation by internal staff but rather a result of Coupang’s organizational and structural neglect of the authentication system.”
,
, She further urged, “The issue of unattended long-term authentication keys revealed in the KT femtocell incident being repeated at Coupang shows the low sense of security responsibility among our companies. IT and tech companies need to urgently overhaul their entire security systems, including key rotation.”
,
,