South Korean e-commerce giant Coupang has confirmed a massive security incident affecting approximately 33.7 million customers, nearly the company’s entire user base.
The breach, which exposed names, phone numbers, email addresses, shipping addresses, and order histories, has been traced back to a former employee who exploited unrevoked internal access credentials.
While the scale of the leak is unprecedented, Coupang has assured customers that sensitive financial data, including credit card numbers and payment information, as well as account passwords, were not compromised.
The company has stated that affected users do not need to take specific protective actions regarding their accounts but should remain vigilant against potential phishing attempts disguised as official Coupang communications.
The unauthorized access reportedly began on June 24, 2025, but went undetected for months. Coupang first identified abnormal activity on November 18, initially estimating that only 4,500 accounts were impacted.
However, a subsequent internal investigation revealed the true extent of the damage, confirming that tens of millions of records had been accessed via an overseas internet connection.
The breach highlights a critical failure in Coupang’s identity and access management (IAM) protocols. According to Rep. Choi Min-hee, chair of the National Assembly’s Science, ICT, Broadcasting and Communications Committee, the company failed to revoke cryptographic signing keys associated with a former employee upon their departure.
The suspect, believed to be a former staff member of Chinese nationality who worked on authentication systems, allegedly used these valid signing keys to generate access tokens.
These tokens allowed the attacker to bypass standard login procedures and access the system remotely. Coupang admitted that while industry standards for key expiration vary, the specific keys used in this attack remained valid long after the employee left the organization.
The Seoul Metropolitan Police Agency is currently analyzing server logs and collaborating with international agencies to trace the IP address involved. Investigators are also determining if the suspect is linked to anonymous emails sent to Coupang threatening to reveal the security flaws. Notably, these communications did not include a ransom demand.
The regulatory fallout for Coupang could be historic. Under the Personal Information Protection Act, companies can be fined up to 3 percent of their average annual revenue for such violations.
Given Coupang’s recent revenue figures, the fine could reach as high as 1 trillion won ($680 million), potentially shattering the previous record penalty of 134.8 billion won set by a prior telecommunications breach.
Coupang is currently notifying all affected individuals via email and text message, while fully cooperating with the Personal Information Protection Commission and the Korea Internet & Security Agency.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
