Coupang and Clop Oracle Breaches Reveal Credential Theft as the Persistent Gap

Coupang's retained former-employee account exposed records for nearly 34 million customers, while the Clop group leveraged a known Oracle E-Business Suite flaw to steal administrative credentials and reach student and insurance data at multiple institutions including the University of Pennsylvania. In both incidents the first foothold produced reusable credentials that enabled immediate database access and lateral movement.

The Coupang breach occurred because an account stayed active after the employee departed, giving direct entry to customer databases without further checks. The Oracle incidents followed the same pattern: attackers used the unpatched vulnerability to harvest administrative credentials, then created additional accounts and extracted records. Both succeeded because the authentication systems treated credentials as transferable secrets instead of device-specific proofs.

Credential Retention and Exploit Chains

In the Coupang case the lack of device binding left the former employee's account usable long after off-boarding should have revoked it. Attackers needed only the retained credentials to reach the data. In the Oracle incidents the vulnerability served mainly as an entry point; once administrative credentials were obtained they functioned as reusable keys for privilege escalation and data extraction. The shared weakness was reliance on secrets that could be kept, stolen, or reused after the initial login.

Limitations of Login-Only Authentication Standards

Standards such as FIDO2 strengthen the login step itself yet leave the rest of the identity lifecycle—account creation, privilege assignment, and revocation—dependent on the same reusable credential model. When an account persists without a bound device, as happened at Coupang, or when harvested credentials allow new account creation after an exploit, the standards add no further control. An initial compromise therefore escalates reliably because later stages still operate on transferable secrets rather than cryptographic proofs tied to hardware.

Device-Bound Public-Key Credentials as Prevention

MFA 2.0 replaces reusable credentials with device-bound public-key pairs generated on the endpoint. The private key never leaves the device and no central database holds shared secrets that attackers can harvest. Authentication occurs on the same device where the key resides, so no second factor or code can be intercepted or replayed. This architecture covers the full identity lifecycle: registration binds the key to a verified user and device, authorization decisions reference the enrolled binding, and decommissioning simply removes the binding without leaving passwords or seeds behind.

In the Coupang incident device-bound credentials would have required the former employee to present the enrolled device for any access after departure; without that device the account would have been unusable. In the Oracle cases even successful exploitation of the vulnerability would have produced no transferable credential for lateral movement or additional account creation. The attack chain ends at the first step because no reusable secret exists to advance further. This approach differs from passkeys alone, which secure only the login event, by enforcing the same cryptographic binding across provisioning, privilege changes, and revocation.