**Coupang Suffers Massive Data Breach Affecting 33.7 Million Users**
South Korea’s largest e-commerce platform, Coupang, disclosed a major data breach on November 29, 2025, exposing personal information from 33.7 million customer accounts—nearly its entire user base. The breach, which began on June 24, 2025, went undetected until November 18, originating from overseas servers.
The leaked data included names, email addresses, phone numbers, shipping addresses, and order histories, though payment details and login credentials were reportedly unaffected. Investigations suggest the breach stemmed from an insider threat, with a former employee allegedly exploiting lingering access credentials after departure—a failure in internal access controls rather than an external hack.
In response to the fallout, CEO Park Dae-jun resigned, issuing a public apology and taking accountability for the incident. The breach has severely damaged customer trust, with reports of users reducing activity and small sellers experiencing order declines of up to 30%. Coupang now faces potential regulatory penalties, including a fine of up to 1 trillion won ($770 million) under South Korea’s data-protection laws.
The incident underscores vulnerabilities in e-commerce security, particularly around insider threats and access management. Exposed personal data heightens risks of phishing, scams, and fraudulent activity, with reports of suspicious login attempts and smishing (SMS scams) already emerging. For global e-commerce firms, the breach serves as a cautionary example of the consequences of inadequate internal safeguards.
Coupang, once celebrated for its rocket-delivery services and convenience, now grapples with long-term reputational damage as customers and regulators reassess trust in the platform.
Source: https://meyka.com/blog/coupang-ceo-resigns-following-massive-data-breach-at-online-retailer/
Coupang cybersecurity rating report: https://www.rankiteo.com/company/coupang
"id": "COU1765361181",
"linkid": "coupang",
"type": "Breach",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '33.7 million',
'industry': 'Retail',
'location': 'South Korea',
'name': 'Coupang',
'size': 'Tens of millions of active customers (24.7 '
'million active users in Q3 2025)',
'type': 'E-commerce Platform'}],
'attack_vector': 'Insider Threat',
'customer_advisories': 'Customers advised to change passwords, enable '
'two-factor authentication, monitor accounts for '
'suspicious activity, and be cautious of phishing '
'emails or scam calls.',
'data_breach': {'number_of_records_exposed': '33.7 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'Personally identifiable information '
'(PII)',
'type_of_data_compromised': ['Names',
'Email addresses',
'Phone numbers',
'Shipping addresses',
'Order histories']},
'date_detected': '2025-11-18',
'date_publicly_disclosed': '2025-11-29',
'description': 'Coupang, South Korea’s largest online retailer, suffered a '
'major data breach exposing personal information from about '
'33.7 million customer accounts, including names, email '
'addresses, phone numbers, shipping addresses, and '
'order-history details. The breach was linked to an insider '
'threat involving a former employee.',
'impact': {'brand_reputation_impact': 'Eroded trust, customers pausing '
'activity or leaving the platform',
'data_compromised': '33.7 million customer accounts',
'identity_theft_risk': 'Higher risk of phishing attempts, scams, '
'and smishing (SMS scams)',
'legal_liabilities': 'Potential fine up to 1 trillion won (~$770 '
'million) under South Korea’s data-protection '
'law',
'operational_impact': 'Orders dropped by 30% or more for small '
'sellers',
'payment_information_risk': 'None (payment details and login '
'credentials were not compromised)',
'systems_affected': 'Overseas servers'},
'lessons_learned': 'Internal safeguards and access control are critical; '
'external firewalls are insufficient. Weaknesses like '
'lingering credentials and lack of timely revocation can '
'lead to insider threats.',
'post_incident_analysis': {'root_causes': 'Insider threat due to lingering '
'credentials of a former employee, '
'lack of timely credential '
'revocation, and inadequate '
'internal access controls'},
'recommendations': ['Strengthen internal access controls and credential '
'management',
'Implement timely revocation of access for former '
'employees',
'Enhance monitoring for unauthorized access',
'Prioritize data security and transparency',
'Encourage customers to use strong, unique passwords and '
'enable multi-factor authentication'],
'references': [{'source': 'Coupang Official Disclosure'}],
'regulatory_compliance': {'fines_imposed': 'Potential fine up to 1 trillion '
'won (~$770 million)',
'regulations_violated': 'South Korea’s '
'data-protection law'},
'response': {'communication_strategy': 'Public apology from CEO, disclosure '
'of breach details'},
'threat_actor': 'Former Employee',
'title': 'Coupang Major Data Breach',
'type': 'Data Breach',
'vulnerability_exploited': 'Lingering credentials, lack of timely credential '
'revocation'}