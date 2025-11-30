Regulators warn of secondary scams, as probe uncovers months of unauthorized access

E-commerce giant Coupang has admitted to the leakage of the personal information of 33.7 million users — nearly its entire customer base — intensifying fears that one of Korea’s most widely used apps has left millions of shoppers exposed.

The New York–listed firm said Saturday that the compromised data includes names, phone numbers, email addresses and home addresses. Payment details, credit card information and login credentials — stored separately under enhanced security — were reportedly not accessed. The company has said users do not need to take additional steps at this stage.

With Coupang reporting 34 million monthly active users, the figures point to virtually universal exposure, placing the incident among the most extensive e-commerce data breaches ever recorded in Korea.

Coupang’s shortcomings in cybersecurity oversight are emerging as a central factor behind the scale of the leak. Internal findings suggest the intrusion may have gone undetected for up to five months.

“Investigations so far show that attackers have been making unauthorized access to personal data through overseas servers since June 24,” the company said in a statement. “We have blocked those unauthorized channels and strengthened internal monitoring.”

In its report to the Korea Internet & Security Agency, Coupang acknowledged that an illegal access attempt occurred on Nov. 6, but was not detected until Nov. 18. The platform’s initial disclosure indicated a leak affecting about 4,500 customers, but that figure later surged to 33.7 million as investigators uncovered far broader exposure.

Authorities say the full extent of the damage has yet to be confirmed. The Personal Information Protection Commission and the Ministry of Science and ICT on Sunday launched a joint public-private investigation to determine the cause of the breach and propose preventive measures.

The privacy watchdog said it began examining the case on Nov. 21, after Coupang’s first leakage report. A second report filed Saturday confirmed the massive scale. “With a vast amount of personal information, such as phone numbers and addresses, exposed, we intend to act quickly and impose strict sanctions if any violations of safety-management obligations are found,” the commission said.

The Seoul Metropolitan Police Agency has also opened an investigation after receiving Coupang’s complaint Tuesday.

Industry reports suggest the breach may have originated inside the company, possibly involving a foreign employee. While Coupang listed the suspect as “unidentifiable” in its police filing, the company’s own language has fueled speculation of an internal incident. In a Nov. 20 notice, Coupang said “consumer personal data has been accessed through an unauthorized means by a third party,” prompting interpretations that the breach did not stem from an external hacking attempt.

Additional reports say the suspected employee has already left Korea, complicating investigators’ efforts to trace the source.

A Coupang official said Sunday that such claims cannot be confirmed, adding that the company is cooperating fully with government agencies as the probe continues.

With Coupang used daily by a large share of the population, regulators are warning of secondary damage stemming from the stolen data. The company urged users to watch for fraudulent calls or texts disguised as official messages, while authorities cautioned consumers against phishing attempts via text message using terms such as “damage confirmation,” “compensation” or “refunds.”

The breach comes as Korea grapples with a wave of high-profile data exposures that have revealed deep vulnerabilities in cybersecurity across sectors. Since the SK Telecom hack in April, which compromised USIM server data for 23 million users, all three major mobile carriers have reported breaches, and Lotte Card has disclosed unauthorized access concerning more than 200 gigabytes of customer information affecting nearly 3 million people.

By the number of affected users, Coupang is now poised to become the largest e-commerce data breach on record in Korea. Given the scale, the company could face penalties surpassing the 134.8 billion won ($92 million) fine imposed on SK Telecom — the highest privacy-related sanction to date.