Coupang’s Massive Data Breach Exposes 33.7 Million Customer Records
In a significant cybersecurity incident, South Korean e-commerce leader Coupang has disclosed a data breach affecting approximately 33.7 million customers, nearly encompassing its entire user base. The compromised data includes names, phone numbers, email addresses, shipping addresses, and order histories. Notably, sensitive financial information such as credit card numbers and payment details, along with account passwords, were not accessed.
Timeline of the Breach
The unauthorized access began on June 24, 2025, but remained undetected until November 18, 2025. Initially, Coupang estimated that around 4,500 accounts were affected. However, a comprehensive internal investigation later revealed the breach’s full extent, confirming that tens of millions of records had been accessed via an overseas internet connection.
Cause and Method of the Breach
Investigations indicate that a former employee exploited unrevoked internal access credentials to gain unauthorized entry. This individual, believed to be of Chinese nationality and previously involved in developing Coupang’s authentication systems, allegedly used valid signing keys to generate access tokens. These tokens allowed the attacker to bypass standard login procedures and access the system remotely. Coupang acknowledged that the specific keys used in this attack remained valid long after the employee’s departure, highlighting a critical lapse in their identity and access management protocols.
Regulatory and Legal Implications
The breach has prompted significant regulatory scrutiny. Under South Korea’s Personal Information Protection Act, companies can be fined up to 3% of their average annual revenue for such violations. Given Coupang’s recent revenue figures, the fine could reach as high as 1 trillion won (approximately $680 million), potentially setting a new record for data breach penalties in the country. The Seoul Metropolitan Police Agency is actively investigating the incident, analyzing server logs, and collaborating with international agencies to trace the IP address involved.
Company Response and Customer Advisory
Coupang has issued apologies to its customers and is notifying all affected individuals via email and text messages. The company is fully cooperating with the Personal Information Protection Commission and the Korea Internet & Security Agency. Customers are advised to remain vigilant against potential phishing attempts disguised as official Coupang communications. While no instances of the accessed information being misused have been identified to date, users are encouraged to monitor their accounts for any suspicious activity.
Industry Impact and Future Measures
This incident underscores the critical importance of robust cybersecurity measures, especially in the e-commerce sector, where vast amounts of personal data are handled daily. It serves as a stark reminder for companies to implement stringent access controls, regularly update security protocols, and promptly revoke access credentials of former employees to prevent similar breaches.
