December 1, 2025
SEOUL – E-commerce giant Coupang has admitted to the leak of personal information related to 33.7 million users — nearly its entire customer base — intensifying fears that one of Korea’s most widely used apps has left millions of shoppers exposed.
CEO Park Dae-jun issued a public apology Sunday, one day after the company formally disclosed the breach.
“I express deep regret over the recent incident at Coupang that began on June 24,” Park said. “We sincerely apologize for causing significant inconvenience and concern to the public.”
Coupang said Saturday that personal data from more than 30 million users had been confirmed leaked — a dramatic escalation from the roughly 4,500 cases first disclosed. The exposed information includes names, phone numbers, email addresses and home addresses. Payment details, credit card information and login credentials — which are stored separately — were not accessed, and customers do not need to take account-related measures, the company said.
With Coupang reporting 34 million monthly active users, the figures point to near-universal exposure, marking one of the largest e-commerce data breaches recorded in Korea.
More alarming than the scale of the leak are Coupang’s lapses in cybersecurity oversight, which allowed unauthorized access to continue undetected for five months, a key factor now emerging behind the severity of the breach.
The full extent of the damage remains under investigation.
The government convened an emergency meeting Sunday in Seoul, chaired by Science and ICT Minister Bae Kyung-hoon, and released initial findings. Officials from related agencies, including the Personal Information Protection Commission, the police and the National Intelligence Service, along with Park, attended the meeting.
“The government received Coupang’s first report of the attack on Nov. 19 and of the data leakage on Nov. 20, with on-site inspections ongoing since then,” the ministry said. “During the investigation, we confirmed that the attacker exploited an authentication vulnerability in Coupang’s servers, gaining access to more than 30 million accounts without a normal login process.”
Starting that day, the government has launched a joint public-private investigative task force to determine the cause of the breach and craft preventive measures. The privacy watchdog, in particular, will examine whether Coupang violated personal data protection or safety management obligations, saying “strict sanctions” will be imposed if any violations are found.
The Seoul Metropolitan Police Agency has also opened a criminal investigation after Coupang’s formally reported the case to them Tuesday.
With Coupang used daily by a large share of the population, authorities also warned of secondary damage stemming from the stolen data.
“We urge the public to exercise exceptional caution and watch for calls or text messages disguised as coming from Coupang,” Minister Bae said, warning consumers about phishing attempts using terms such as “damage confirmation,” “compensation” or “refunds.” The government has begun
The government added it is declaring a three-month period of heightened monitoring across the internet — including the dark web — for any further exposure or illegal distribution of personal data.
Meanwhile, industry reports suggest the breach may have originated inside the company, possibly involving a foreign employee. While Coupang listed the suspect as “unidentifiable” in its police filing, the company’s own language has fueled speculation of an internal incident. In a Nov. 20 notice, Coupang said “consumer personal data has been accessed through an unauthorized means by a third party,” prompting interpretations that the breach did not stem from an external hacking attempt.
Additional reports say the suspected employee has already left Korea, complicating investigators’ efforts to trace the source.
A Coupang official said Sunday that such claims cannot be confirmed, adding that the company is cooperating fully with government agencies as the probe continues.
The breach comes as Korea grapples with a wave of high-profile data exposures that have revealed deep vulnerabilities in cybersecurity across sectors. Since the SK Telecom hack in April, which compromised USIM server data for 23 million users, all three major mobile carriers have reported breaches, and Lotte Card has disclosed unauthorized access concerning more than 200 gigabytes of customer information affecting nearly 3 million people.
By the number of affected users, Coupang is now poised to become the largest e-commerce data breach on record in Korea. Given the scale, the company could face penalties surpassing the 134.8 billion won ($92 million) fine imposed on SK Telecom — the highest privacy-related sanction to date.