Coupang Data Breach Exposes 33.7 Million Customers
▼ Summary
– Coupang, South Korea’s largest retailer, suffered a data breach exposing the personal information of 33.7 million customers.
– The breach occurred on June 24, 2025, but was only discovered and investigated starting November 18, 2025.
– Exposed data includes names, phone numbers, addresses, and order information, but not payment details or passwords.
– The company has reported the incident to authorities and is notifying impacted individuals, who are advised to be vigilant for impersonation attempts.
– This is the second major cybersecurity incident in South Korea this year, following a breach at SK Telecom that affected 27 million subscribers.
A significant data breach at Coupang, South Korea’s dominant online retailer, has compromised the personal details of an estimated 33.7 million customers. The company disclosed that unauthorized access occurred on June 24, 2025, but the intrusion was not detected and investigated until nearly five months later, on November 18, 2025. Initial findings indicated a breach affecting around 4,500 accounts, but subsequent analysis revealed the true, massive scale of the exposure.
The compromised information includes full names, phone numbers, email and physical addresses, and order history. Coupang has assured customers that more sensitive data, such as credit card numbers, payment details, and account passwords, remained secure and was not accessed in this incident. The retail giant, which employs 95,000 people and generates over $30 billion in annual revenue, has notified South Korean authorities, including the National Police Agency and the Personal Information Protection Commission. Affected individuals are being contacted directly via email or SMS.
Customers are advised to be extremely cautious of potential phishing attempts, including suspicious calls, texts, or emails that may impersonate Coupang. The company has not publicly identified the attack method or potential perpetrators, and no cybercriminal group has claimed responsibility as of this reporting. However, local media reports suggest the breach may have been an inside job, carried out by a former employee who exploited unrevoked system access tokens to steal the data; these details have not been independently verified.
This incident marks the second major cybersecurity failure in South Korea this year. In April, SK Telecom, the nation’s largest mobile carrier, warned that a malware infection had exposed sensitive USIM data for its entire subscriber base of 27 million people. The company later confirmed that the malware had been present within its networks since June 2022, remaining undetected for approximately three years. The consecutive large-scale breaches at major corporations highlight ongoing challenges in data protection and threat detection within the country’s digital infrastructure.
(Source: Bleeping Computer)
