Coupang Data Breach Exposes 33.7M South Korean Customers

South Korean e-commerce powerhouse Coupang has confirmed a significant data breach, revealing that the personal information of nearly 34 million customers in South Korea was exposed. The breach, which reportedly spanned over five months, marks a major cybersecurity incident for one of the region's largest online retailers.

Coupang initially detected unauthorized access to approximately 4,500 user accounts on November 18, 2025. However, a subsequent and more thorough investigation uncovered the true scale of the compromise, affecting an estimated 33.7 million customer accounts across South Korea. The company stated that unauthorized access to personal information is believed to have commenced on June 24, 2025, originating from overseas servers.

The compromised data includes customers' names, email addresses, phone numbers, shipping addresses, and specific order histories. Crucially, Coupang emphasized that more sensitive information, such as payment details, credit card numbers, and login credentials, was not affected and remains secure.

In response to the incident, Coupang promptly reported the breach to key regulatory bodies, including the Korea Internet Security Agency (KISA), the Personal Information Protection Commission (PIPC), and the National Police Agency. The company has also taken immediate steps to mitigate the threat, blocking the unauthorized access route, strengthening its internal monitoring systems, and engaging experts from a leading independent security firm to assist with the investigation and enhance its defenses.

The National Police Agency, which launched an investigation following the November 18 complaint, has reportedly identified at least one suspect: a former Chinese Coupang employee currently residing abroad. The investigation is ongoing.

Coupang, renowned for its "Rocket Delivery" quick-commerce service in South Korea, also operates marketplaces in Japan and Taiwan. A company spokesperson confirmed that the investigation has found no evidence suggesting that consumer data from Coupang Taiwan or its Rocket Now service was impacted by this data breach.

This incident is the latest in a series of cybersecurity challenges faced by South Korea this year. Coupang itself has a history of data breaches, with previous incidents between 2020 and 2021 exposing customer information, and a more recent breach in December 2023 compromising the personal data of over 22,000 customers through its seller management system.