![Coupang informs customers about data leak on Nov. 30. [KIM HYUN-DONG]](https://koreajoongangdaily.joins.com/data/photo/2025/12/01/af1bc7ab-fcce-4567-bdce-cf44b7bee802.jpg)
Coupang informs customers about data breach on Nov. 30. [KIM HYUN-DONG]
Coupang, a prominent South Korean e-commerce platform, has disclosed a significant data breach affecting approximately 33.7 million user accounts. The incident raises alarms over potential secondary threats, such as phishing scams and identity theft. The compromised data set includes customer names, phone numbers, email addresses, delivery locations, and select order information.
In a statement released on Saturday, Coupang confirmed that the personal information had been accessed without authorization, emphasizing that sensitive financial details—such as payment data, credit card numbers, and login passwords—were not involved in the breach. However, cybersecurity experts caution that even this seemingly limited data can facilitate various forms of fraud, including voice phishing, account takeovers, and identity theft.
In response to the breach, South Korea’s Ministry of Science and ICT, along with the Personal Information Protection Commission and the Korea Internet and Security Agency (KISA), issued a nationwide security alert. Authorities urged the public to remain vigilant against fraudulent messages claiming refunds or compensation and highlighted potential tactics where malicious actors may attempt to exploit the compromised information.
Anxiety has spread among users, particularly on social media platforms, with many opting to change their personal identification codes required for international transactions or deciding to cease using the platform entirely. The direct-to-door delivery service offered by Coupang has raised specific concerns that even shared entry codes for building access may have been compromised.
Experts have stressed the importance of immediate action by users, advising that they update any changeable information. With leaked account data frequently sold and reused, KISA pointed out that methods such as credential stuffing—where stolen usernames and passwords are tested across different sites—pose an ongoing risk.
The breach could be indicative of various tactics within the MITRE ATT&CK framework, including initial access through phishing or exploiting vulnerabilities, and persistence techniques that maintain access to compromised networks. The transference of compromised information from Coupang to other services risks further infiltration of user accounts if similar credentials are employed across platforms.
Youm Heung-youl, a cybersecurity professor at Soonchunhyang University, highlighted the potential for attackers to combine leaked data from Coupang with other known breaches, such as the Lotte Card incident which involved sensitive card details. He underscores the critical need for users to vary passwords across different services and enable two-factor authentication wherever possible.
Hwang Suk-jin from Dongguk University warned that phone numbers could be misused by criminals to manipulate social networks, possibly leading to further privacy invasions, such as deepfake creation. Moreover, security experts advocate for immediate alterations to address-related information, as the fallout from such breaches may extend beyond financial loss to personal safety concerns.
In an effort to mitigate public concern, experts are calling for both Coupang and governmental bodies to transparently communicate the evolving risks associated with the breach. Prof. Hwang noted that investigations typically unfold over extended periods—often exceeding several years—making timely disclosures imperative for restoring public confidence.
Speculation surrounding the breach suggests it may have stemmed from insider compromise, with some conspiracy theories emerging in far-right online communities alleging external interference aimed at destabilizing Coupang. In light of these developments, the South Korean government announced a three-month campaign focused on monitoring personal data exposure and illegal online activity.
This article was originally written in Korean and translated by a bilingual reporter with the assistance of generative AI tools. It has undergone editing by a native English-speaking editor, ensuring clarity and factual precision. All AI-assisted translations are rigorously reviewed by our newsroom.
BY KIM JEONG-JAE [[email protected]]
