Coupang, South Korea's dominant e-commerce platform and often called the "Amazon of South Korea," has confirmed a data breach that may have exposed the personal information of up to 33.7 million customer accounts. The company issued a public apology and reported the incident to South Korean internet authorities, who have opened a full-scale investigation. The scale is staggering: 34 million records represent well over half of South Korea's population of roughly 52 million.
What Happened
Coupang first detected unauthorized access to approximately 4,500 customer accounts on November 18th and promptly reported it to the authorities. Subsequent forensic work revealed the true blast radius was far larger, with roughly 33.7 million domestic customer accounts likely exposed. Investigators believe the intrusion began as early as June, potentially originating from a server located overseas. That timeline points to a prolonged window of compromise and raises hard questions about Coupang's security monitoring, detection tuning, and incident response protocols. Coupang, though founded in South Korea, is headquartered in the United States and reports nearly 25 million active users, adding cross-jurisdictional complexity to the regulatory response.
What Was Taken
The exposed data set includes customer names, email addresses, phone numbers, shipping addresses, and some order histories. Coupang states that credit card information and login credentials were not compromised and remain protected. While that reduces the risk of direct account takeover or financial fraud, the leaked combination of identity, contact, and location data is a potent toolkit for targeted phishing, smishing, and social engineering campaigns against a large slice of the South Korean public.
Why It Matters
This breach continues a troubling pattern of large-scale data leaks at major South Korean firms, following incidents at telecommunications giant SK Telecom. For defenders, the case underscores two enduring themes: dwell time and insider risk. A months-long detection gap suggests attackers can operate inside high-value environments far longer than acceptable. South Korean media have reported unconfirmed suspicions that a former Coupang employee from China may be involved, spotlighting insider threats as a common but frequently underinvested-in risk. The multinational structure also raises accountability questions about how corporations safeguard data across differing legal jurisdictions.
The Attack Technique
Coupang has not disclosed the perpetrators or a definitive intrusion method. The available signals point to a possible insider-enabled compromise, potentially involving a former employee, and a server located overseas as part of the access path. The gap between initial detection of 4,500 accounts and the eventual 33.7 million figure suggests attackers may have leveraged legitimate or over-provisioned access to move laterally and enumerate customer records at scale before the full scope was understood.
What Organizations Should Do
- Enforce least-privilege access and immediately revoke credentials, tokens, and VPN access for departing employees and contractors as part of offboarding.
- Deploy user and entity behavior analytics to flag anomalous bulk data access and enumeration, especially from privileged or service accounts.
- Reduce dwell time with continuous monitoring, alert tuning, and regular threat hunting rather than relying on point-in-time detection.
- Segment and monitor customer data stores, applying strict egress controls and logging on any server reachable from overseas or third-party environments.
- Treat insider risk as a first-class program, combining access reviews, separation-of-duties, and data loss prevention controls.
- Prepare customer-facing anti-fraud messaging and warn users to be wary of scams impersonating the brand, since leaked contact data fuels targeted phishing.
Sources: South Korea Data Breach: Coupang Faces Major Privacy Scandal Affecting 34 Million Customers (2026)