• A developer worked at Coupang, then left the company. He was reportedly a Chinese national.
• When he left, his authentication key was never revoked. It still worked.
• He used it to log in remotely and pull customer data — for about a year before anyone noticed.
• It first came to light in November 2025, but the access likely started as early as June 2025.
• Coupang says it’ll fight the fine in court. (Korea Times)

But here’s the thing nobody mentions: there was no genius hack here. No zero-day, no malware. Just a door left unlocked after the guy moved out.

So the headlines scream “BIGGEST FINE EVER.” Let’s check the math. The old record was SK Telecom at $88M. This is 4.6x bigger. That’s not hype — that number is real, and it’s a regulator deciding to make an example. (Fortune)

The leaked info wasn’t just names and phone numbers. It included shipping addresses, order histories, AND in some cases the key codes to enter residential buildings.

Counter-argument first: payment card numbers and government ID numbers were reportedly not touched. So it’s “not the worst case.” Fine.

But here’s the thing nobody mentions — for a stalker or a package thief, your home address + your building’s door PIN + a list of when you order stuff is arguably more dangerous than a stolen credit card. A card you cancel in five minutes. You can’t cancel where you live. (TechTimes)

The data shows insider access — a current or former employee’s login — is one of the slowest breaches to catch, because the system sees a “trusted” key and waves it through. No alarms.

Every company you’ve ever signed up for has ex-employees. Every one of them ran some offboarding process. How many actually checked that every single key got killed? Coupang is a multi-billion-dollar tech company with real security teams, and they missed one for a year.

My verdict: this isn’t a “Korea problem” or a “Coupang problem.” It’s the most common hole in tech, and it just got a $409M price tag stapled to it. (TechRepublic)

Companies accidentally leave live keys lying around in public code all the time — old projects, abandoned repos, copy-pasted config files. Free scanners like TruffleHog and Gitleaks sniff them out in minutes. You find a real one, you don’t use it — you report it through the company’s bug bounty and get paid for the heads-up.

Example: A 21-year-old in Lagos runs TruffleHog against public repos listed on HackerOne’s bounty directory, finds a still-active cloud key in an old commit, files a report. Payout: $1,500 for one afternoon, no permission needed because the program invited it.

Timeline: First valid report in 2–4 weeks once you learn the scanners. Plateaus as more bots flood the same repos — move to less-picked-over targets to stay paid.

Small companies have zero process for “turn off the key when someone quits.” That’s literally the Coupang hole. You sell a dead-simple, done-for-you “leaver kill-switch” audit: list every system, every key, who can touch what, and the exact off-switch for each. No fancy software — a sharp checklist they don’t have time to build.

Example: A 24-year-old in the Philippines packages a Notion offboarding template + a 1-hour live walkthrough, sells it to 5-to-30-person agencies for $120 a pop on Gumroad. 18 sales in a month off LinkedIn cold posts = ~$2,100.

Timeline: First sales in days while the Coupang headline is hot. Demand cools in ~3 months as the news fades — bank it fast.

Here’s the sneaky-clever bit: you can plant a fake key that does nothing except scream an alert the moment anyone tries to use it. Canarytokens makes these for free. Drop them in the spots a sneaky insider would poke first. If a ghost ex-employee comes knocking, the company knows instantly. You sell the setup + monitoring as a tiny service.

Example: A 26-year-old in Brazil sets up 15 canary tokens across a law firm’s shared drives and old servers, charges a $300 setup + $40/month watch fee. Five clients = $200/month passive plus setup cash, using a 100% free tool.

Timeline: First client in 2–3 weeks (security-curious small biz). Scales slow but sticky — these clients rarely cancel once they sleep better.

Right now, every mid-size Korean and Asian firm is staring at a $409M fine thinking “wait, do we have a ghost key?” There’s a short window — maybe 4–8 weeks — where they’ll pay for a fast answer before they hire a real internal team. You don’t fix everything. You just find the orphaned logins and hand over a list.

Example: A 28-year-old freelancer in Vietnam offers a flat “Ghost Access Sweep” — pulls every still-active account/key, flags ex-staff ones, delivers a one-page red list in 48 hours. Three SMEs at $600 each in the first month = $1,800, all off the back of one news cycle.

Timeline: Window opens NOW, closes in ~2 months as panic normalizes. Move while the suits are still scared.

When a breach this big hits, 37.5 million freaked-out people Google “am I in the Coupang leak / what do I do.” Be the first clean, plain-language cheat-sheet that answers it — change passwords, freeze this, watch for that, rotate your building code. The first genuinely useful guide becomes the link everyone shares, and you slot in honest tool recommendations (password managers, identity monitoring).

Example: A 23-year-old in India publishes a tight “Coupang Leak: 7 Things To Do Today” page using Have I Been Pwned checks, ranks for the Korean + English search terms, and earns affiliate cuts from a Bitwarden/monitoring referral. ~$400 in month one, compounding as it ranks.

Timeline: Traffic spikes for 3–6 weeks post-news, then a long slow tail. The early publisher keeps the SEO crown.