SEOUL, Nov. 30 (Yonhap) -- Anxiety and frustration are mounting following a massive data breach at e-commerce giant Coupang that local observers noted Sunday may have been ongoing for months.
On Saturday, the U.S.-listed company confirmed personal information belonging to 33.7 million customers -- nearly its entire user base -- had been compromised.
The breached data includes names, phone numbers, email addresses and delivery addresses. The company said payment information, credit card numbers and login credentials were not affected.
"Unauthorized access to delivery-related personal information for the affected accounts appears to have been made through overseas servers since June 24," the company said.
This photo shows a distribution center of e-commerce giant Coupang in Seoul on Nov. 5, 2025. (Yonhap)
The company first discovered the breach on Nov. 18 and notified authorities within two days. Coupang initially reported a leak affecting approximately 4,500 customers. Police launched an investigation after receiving a complaint Tuesday to determine how the breach occurred.
As the scope of the breach proves far larger than the 4,500 accounts initially reported and extends back several months earlier than first believed, customers have expressed serious concerns about potential misuse of their compromised information.
The incident surpasses SK Telecom's data leak in April, affecting 23.2 million users, which resulted in a record fine of 134.8 billion won.
In addition,
Source: https://en.yna.co.kr/view/AEN20251130000800315
Coupang cybersecurity rating report: https://www.rankiteo.com/company/coupang
"id": "COU1764467849",
"linkid": "coupang",
"type": "Breach",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '33.7 million',
'industry': 'Retail/Logistics',
'location': 'Seoul, South Korea (HQ); '
'U.S.-listed',
'name': 'Coupang',
'size': '33.7 million customers (nearly '
'entire user base)',
'type': 'E-Commerce'}],
'attack_vector': ['Compromised Overseas Servers',
'Potential Insider Threat or Third-Party '
'Vulnerability'],
'data_breach': {'data_encryption': None,
'data_exfiltration': 'Yes (via overseas servers)',
'file_types_exposed': None,
'number_of_records_exposed': '33.7 million',
'personally_identifiable_information': ['Names',
'Phone '
'Numbers',
'Email '
'Addresses',
'Delivery '
'Addresses'],
'sensitivity_of_data': 'Moderate to High (PII '
'but no financial/payment '
'data)',
'type_of_data_compromised': ['Personal '
'Identifiable '
'Information '
'(PII)']},
'date_detected': '2025-11-18',
'date_publicly_disclosed': '2025-11-29',
'description': 'A massive data breach at e-commerce giant '
'Coupang compromised personal information of 33.7 '
'million customers, nearly its entire user base. '
'The breach, which may have been ongoing since '
'June 24, involved unauthorized access to '
'delivery-related personal data (names, phone '
'numbers, email addresses, and delivery '
'addresses) via overseas servers. Payment '
'information, credit card numbers, and login '
'credentials were reportedly not affected. The '
'company initially underreported the scale (4,500 '
'accounts) but later confirmed the full extent '
'after an investigation was launched. Customer '
'anxiety and regulatory scrutiny are mounting, '
"with comparisons drawn to SK Telecom's 23.2 "
'million-user breach in April, which incurred a '
'record 134.8 billion won fine.',
'impact': {'brand_reputation_impact': 'Severe; potential '
'long-term trust erosion',
'conversion_rate_impact': None,
'customer_complaints': 'Mounting anxiety and '
'frustration among customers',
'data_compromised': ['Names',
'Phone Numbers',
'Email Addresses',
'Delivery Addresses'],
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'High (due to exposure of PII)',
'legal_liabilities': 'Potential regulatory fines '
"(comparable to SK Telecom's "
'134.8 billion won penalty)',
'operational_impact': None,
'payment_information_risk': 'None (explicitly stated '
'as unaffected)',
'revenue_loss': None,
'systems_affected': ['Delivery-Related Databases',
'Overseas Servers']},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': 'Overseas servers '
'(unauthorized access)',
'high_value_targets': ['Customer PII '
'databases'],
'reconnaissance_period': 'Potentially '
'since June '
'24, 2025 '
'(undetected '
'for ~5 '
'months)'},
'investigation_status': 'Ongoing (police investigating breach '
'origins and scope)',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': None},
'references': [{'date_accessed': '2025-11-30',
'source': 'Yonhap News Agency',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': 'Police investigation '
'ongoing',
'regulations_violated': None,
'regulatory_notifications': 'Authorities '
'notified '
'within 2 '
'days of '
'detection '
'(November '
'20)'},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': 'Public disclosure on '
'November 29; initial '
'underreporting (4,500 '
'accounts) corrected '
'later',
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': 'Yes (notified '
'authorities '
'within 2 days '
'of detection)',
'law_enforcement_notified': 'Yes (police '
'investigation launched '
'after complaint on '
'November 25)',
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'title': 'Massive Data Breach at Coupang Affecting 33.7 Million '
'Customers',
'type': ['Data Breach', 'Unauthorized Access']}