Coupang breach shows how cloud identity risk can persist for months

At a glance

What this is: This is an analysis of the Coupang breach, with the central finding that cloud identity risk can persist for months when access is not continuously governed.

Why it matters: It matters to IAM and NHI practitioners because lingering access, stale entitlements, and weak offboarding can turn ordinary cloud permissions into prolonged exposure.

By the numbers:

• Coupang disclosed a data breach affecting 33.7 million customer accounts.

👉 Read Unosecur's analysis of the Coupang breach and cloud identity risk

Context

Cloud identity risk is what happens when access rights, tokens, and roles outlive the business need that created them. In this case, the primary issue is not a new exploit pattern, but the possibility that legitimate access remained usable long enough to expose large volumes of customer data, which is exactly the kind of governance failure IAM and NHI controls are supposed to prevent.

The Coupang disclosure points to a familiar cloud problem: organisations can have authentication in place and still lose control of who or what can reach sensitive data. That makes this relevant beyond one company, because the same conditions affect service accounts, API keys, and human access paths in environments where visibility and revocation are incomplete.

The starting point here is typical of modern cloud risk, not exceptional. Large-scale exposure often comes from ordinary access that is not revoked, monitored, or revalidated often enough.

Key questions

Q: How should security teams reduce cloud identity risk in customer data environments?

A: Security teams should focus on continuous entitlement review, rapid offboarding, and least-privilege access to customer datasets. The goal is to reduce the number of identities that can reach sensitive data and to shorten the time any unnecessary access remains valid. That is more effective than relying on initial role design alone.

Q: Why do cloud breaches often persist even when authentication is in place?

A: Authentication proves an identity can log in, but it does not prove that the identity should still have the same access. Cloud breaches persist when tokens, roles, or delegated permissions remain valid after the business need has changed. The result is authorised-looking access that can continue until someone reviews and revokes it.

Q: What is the difference between role design and effective access review?

A: Role design defines how access should be structured in theory. Effective access review checks what an identity can actually do in live systems, including inherited permissions, exceptions, and dormant accounts. Practitioners need both, but effective access review is what reveals real exposure when cloud environments drift from the intended model.

Q: When should organisations treat offboarding as a security priority?

A: Organisations should treat offboarding as a security priority whenever an employee, contractor, or automated workflow no longer needs access to production data. Delays in revocation expand the attack window and leave obsolete credentials active. In cloud environments, offboarding should be measured in hours, not as a weekly cleanup task.

Technical breakdown

Why cloud identity risk persists after initial access

Cloud environments are built around identity decisions. A role, token, or session can authorize access without any malware or obvious system failure. If those entitlements remain valid too long, an attacker does not need to break infrastructure again to keep reading data. The problem is compounded when access is granted broadly, inherited through nested roles, or left unreviewed after changes in business need. In practice, this means the security boundary is no longer the perimeter or the workload. It is the live identity state, including whether access is still justified, traceable, and revocable.

Practical implication: Treat active access paths as a continuously changing risk surface, not a static configuration.

Offboarding gaps and stale permissions in cloud accounts

Offboarding failures are one of the most common ways access lingers after employment changes or role shifts. In cloud settings, this can include direct user access, delegated admin rights, service-linked permissions, and recovery credentials that are easy to overlook. Revocation also has to happen across multiple control planes, not just the directory. If cloud entitlements remain in place after a user leaves or a task ends, the organisation has effectively preserved a dormant route into production data. That is why offboarding is an identity control, not an HR afterthought.

Practical implication: Build revocation checks across directory, cloud, and application layers before access is considered closed.

Why identity visibility matters more than role design alone

Role design is necessary, but it does not show how permissions are actually used in live systems. Real-world cloud governance needs visibility into effective access, not only configured access. That includes dormant identities, over-privileged accounts, and access paths created through inheritance or exceptions. When teams cannot answer who can reach what today, they cannot measure blast radius or verify least privilege. In identity-first clouds, the operational question is whether granted access matches current risk, not whether the original role model looked sound on paper.

Practical implication: Use continuous entitlement analysis to find access that exists in practice but not in the intended design.

Threat narrative

Attacker objective: The objective was prolonged access to customer data at scale, not immediate service disruption.

1. Entry likely depended on a valid identity path rather than destructive malware, because the breach involved unauthorized access to customer information over time.
2. Escalation would have come from using that access to reach data stores or applications with broader customer records than the initial entry point required.
3. Impact was sustained exposure of names, contact details, addresses, and order-related information across a long undetected window.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Internet Archive breach — unsecured GitLab authentication tokens exposed 31M Internet Archive accounts.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Cloud identity risk is now a governance problem, not just a detection problem. The Coupang disclosure reinforces that attackers do not need novel malware when identity state remains valid for too long. IAM teams must assume that standing access, stale tokens, and incomplete revocation can create long-lived exposure even when authentication works as designed.

Identity blast radius is the right concept for cloud breach analysis. Once unauthorized access exists, the question becomes how far that access can extend across accounts, data stores, and delegated permissions. That is why practitioners should measure the blast radius of every identity class, including human accounts, service accounts, and temporary credentials.

Offboarding is a security control, not an administrative workflow. Breaches like this show that access removal timelines directly shape exposure windows. Organisations that cannot revoke access quickly are not merely inefficient; they are preserving an attack path that may remain usable long after the original business need has ended.

Continuous entitlement review is now a baseline expectation for cloud governance. Static role design cannot keep pace with changes in projects, teams, and integrations. Practitioners should treat effective access review as part of operational security, because the real risk sits in what identities can do today, not what they were intended to do last quarter.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• That is why the 52 NHI Breaches Analysis is useful for teams building a practical exposure-reduction playbook.

What this signals

Identity governance has to move from periodic review to continuous exposure management. Once access can remain valid for months, the control objective shifts from proving policy existence to proving that live permissions are still justified. For practitioners, that means building a programme that correlates identity state, data sensitivity, and revocation speed into one operating view.

With 91.6% of secrets still valid five days after notification, per Ultimate Guide to NHIs, delayed remediation is a structural cloud risk, not an edge case. Security teams should expect access windows to outlast detection unless they automate response around identity events.

For practitioners

• Map effective cloud access, not just assigned roles Inventory who and what can reach customer data across cloud accounts, SaaS apps, and admin planes. Focus on effective permissions, inherited access, and exceptions that expand exposure beyond the intended design.
• Shorten identity offboarding and revocation timelines Remove user, service, and delegated access as part of a single closure workflow, and verify revocation across directory, cloud, and application layers within hours, not days.
• Review dormant and over-privileged identities first Prioritise accounts that have not been used recently, hold broad permissions, or can reach sensitive records without additional approval. These identities usually create the largest unmonitored exposure windows.
• Measure access exposure by data domain Tie each identity class to the specific customer, finance, or operational datasets it can reach so incident response can estimate blast radius quickly when suspicious activity appears.

Key takeaways

• Cloud breaches often become prolonged because valid identity paths outlive the business need that created them.
• The scale of exposure in this case shows why access governance and offboarding must be treated as core security controls.
• Practitioners should prioritise effective access review, rapid revocation, and blast-radius analysis over static role design alone.

Key terms

• Effective Access: The permissions an identity can actually use in a live environment, not just what is written in a policy document. This includes inherited rights, exceptions, delegated permissions, and dormant access paths that remain technically valid even after the original business need has ended.
• Identity Blast Radius: The amount of data, systems, and operational scope that a compromised identity can reach. In cloud environments, blast radius depends on entitlement depth, data sensitivity, and how quickly access can be revoked or narrowed when unusual activity appears.
• Offboarding Revocation Window: The time between a user or workflow no longer needing access and that access being fully removed across relevant systems. Longer windows increase the chance that obsolete credentials, sessions, or delegated rights can be reused during or after departure.

What's in the full article

Unosecur's full article covers the operational detail this post intentionally leaves for the source:

• The company’s own breakdown of the disclosure timeline and the exact sequence of public reporting
• The vendor’s explanation of how its identity risk platform is positioned to detect over-privileged, dormant, and risky cloud access paths
• The article’s recommended next step for organisations that want to assess hidden identity exposure in live cloud environments

👉 Unosecur's full post covers the breach timeline, exposed data types, and identity risk framing in more detail.

Deepen your knowledge

Cloud identity risk, effective access review, and offboarding discipline are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are tightening cloud governance around live permissions and stale access, it is worth exploring.