Coupang Taiwan's chief information security officer publicly confirmed a November 2025 data breach during a CYBERSEC 2026 keynote in Taipei, disclosing that approximately 33.7 million customer accounts were exposed globally, including roughly 200,000 accounts belonging to Taiwanese users. The e-commerce giant has launched a bug bounty program in the wake of the disclosure as part of a broader remediation effort.

What Happened

In November 2025, attackers gained access to Coupang's customer account systems, compromising data tied to tens of millions of users across the company's global footprint. The disclosure was made roughly six months after the incident, during a public security conference rather than through a coordinated regulatory notification at the time of the breach. The CISO used the CYBERSEC 2026 stage to walk through the timeline, scope, and the company's response posture, including the launch of a public bug bounty program intended to surface vulnerabilities before adversaries can exploit them again.

What Was Taken

Coupang has confirmed that approximately 33.7 million customer accounts were affected worldwide, with around 200,000 of those belonging to Taiwanese customers. While the specific data fields exposed have not been fully itemized in the public disclosure, customer account breaches of this scale typically include identifiers such as names, email addresses, phone numbers, hashed credentials, shipping addresses, and order history. Given Coupang's role as a major e-commerce platform, the exposed data is highly valuable for downstream credential stuffing, phishing, and identity fraud campaigns targeting Taiwanese and global consumers.

Why It Matters

Coupang is one of the largest e-commerce operators serving the Asia-Pacific region, and a breach of this magnitude has implications well beyond the immediate victim pool. The six-month gap between intrusion and public disclosure raises concerns about notification timeliness, particularly under Taiwan's tightening data privacy regime following the establishment of the Personal Data Protection Commission (PDPC). For defenders, the incident reinforces that large consumer platforms remain prime targets for bulk credential and PII theft, and that exposed datasets typically resurface in criminal markets to fuel secondary attacks against unrelated services that share user credentials.

The Attack Technique

The initial access vector and full attack chain have not been publicly disclosed by Coupang as of this writing. The company's decision to launch a bug bounty program in conjunction with the breach disclosure suggests the root cause may have involved an exploitable application-layer vulnerability or an exposed interface, though this has not been confirmed. Until Coupang publishes a more detailed post-incident report, defenders should assume the threat actor leveraged techniques common to large e-commerce breaches: exploitation of internet-facing application flaws, abuse of API endpoints, or compromise of third-party integrations with access to customer data stores.

What Organizations Should Do

• Force password resets and invalidate active session tokens for any Coupang accounts, and warn users that credentials reused on other services should be rotated immediately.
• Monitor for credential stuffing attacks against your own login surfaces using known-breached email lists, and deploy bot mitigation and MFA enforcement on consumer-facing authentication endpoints.
• Audit external attack surface and API gateways for unauthenticated or weakly authenticated endpoints that expose customer data in bulk.
• Review breach disclosure obligations under Taiwan's PDPC framework and equivalent regional regimes to ensure your own incident response playbooks meet timeliness requirements.
• Enrich phishing and fraud detection rules with Coupang-themed lures, which are likely to spike as criminals weaponize the leaked customer list.
• Establish or formalize a vulnerability disclosure or bug bounty program before an incident forces one into existence under public pressure.

Sources: Coupang Taiwan reveals 2025 data breach affecting 33.7 million accounts, launches bug bounty program