Date of Incident:
June 24, 2025

Overview:

The Coupang Data Breach, reported on December 1, 2025, impacting the retail sector, involved the customer database being accessed without authorization on June 24, 2025. Abnormal activity was detected on November 14, 2025, with breaches potentially dating back to June 2025. Coupang announced the breach and provided details about the incident, stating that personal information, including full names, phone numbers, email addresses, physical addresses, and order details of 33.7 million members, was exposed. Coupang confirmed the scope of the data leak and their cooperation with authorities. Notably, payment information and passwords remained secure.

The breach was first identified in November 2025 and is linked to MITRE ATT&CK techniques T1078 and T1059, likely resulting from credential compromise or phishing, with SQL injection used to exploit input validation flaws. The breach was linked to a former employee who exploited unrevoked cryptographic signing keys. The former employee admitted to their involvement in the breach. Although there is no risk of financial theft, the breach poses significant privacy concerns and has major implications for data privacy in South Korea.

Coupang is under investigation by the South Korean government following the data breach that exposed personal information of 33.7 million customers. Lawmakers and the South Korean government are actively investigating the breach, coordinating with Coupang to recover evidence and identify the perpetrator. Earlier, South Korea’s Trade Minister Yeo Han-koo had stated that the government is not discriminating against Coupang. Similar companies in the sector include Amazon, eBay, Walmart, Alibaba, and JD.com.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Impact:

Exposure of personal information of 33.7 million customers including full names, phone numbers, email addresses, physical addresses, and order information. Payment information and passwords were not exposed.

To address the concerns of affected users, Coupang is working to provide compensation and maintain transparency throughout the incident response process.

Details:

The Coupang Data Breach involved unauthorized access to the company’s customer database exposing full names, phone numbers, email addresses, physical addresses, and order details of approximately 33.7 million customers. Coupang’s investigation revealed that the attacker exploited unrevoked cryptographic signing keys to gain unauthorized access. The perpetrator was identified as a former employee who accessed user data using a stolen security key. The attack mapped to MITRE ATT&CK techniques T1078 (Valid Accounts) and T1059 (Command and Scripting Interpreter), with initial access likely achieved through credential compromise or phishing. PoC code behavior included SQL injection payloads exploiting input validation flaws to extract data. IOCs found include suspicious IP addresses used in database queries, anomalous login timestamps, and network traffic indicating data exfiltration. The perpetrator retained limited user data from only 3,000 accounts and deleted the data after the breach was reported. This incident highlighted failures in Coupang’s offboarding processes and internal access management. Only a limited number of user records—specifically around 3,000—were retained and later deleted as part of the incident response, helping to contain the leak and reassure stakeholders that most data was not stored or shared. Log artifacts reveal unusual database query logs, error logs showing failed login attempts, and registry changes linked with malware persistence. Payment information and passwords were not exposed, reducing the risk of financial theft but still posing privacy threats.

Forensic analysis is ongoing, with the Seoul Metropolitan Police Agency actively investigating the Coupang data breach and examining server logs for evidence. During the investigation, authorities discovered that, in an attempt to destroy evidence, a device was discarded and later recovered from a riverbed, emphasizing the thoroughness of the investigation as they traced the actions of the former employee.

Remediation:

Coupang plans to implement a series of future strategies to address the data breach, including ongoing cybersecurity investigations, customer compensation programs, and operational reforms. These initiatives are designed to restore public trust and demonstrate transparency in their response.

Following the breach, Coupang established a specialized task force to address security measures mandated by the Personal Information Protection Commission. The company improved its security framework by potentially adopting advanced industry standards such as Zero-Trust architecture. Coupang also commissioned three top global cybersecurity firms to perform a rigorous forensic investigation. CEO Park Dae-jun resigned following the breach, resulting in executive changes within the company. Speaking on the matter, Coupang officials emphasized their commitment to remediation and outlined steps taken to strengthen their security posture. However, Coupang’s slow response and limited transparency have compounded public distrust and drawn attention from regulators.

Coupang has recommended immediate password resets for impacted users and enhanced monitoring for suspicious activity. They applied patches to fix input validation vulnerabilities and strengthened access controls by implementing multi-factor authentication (MFA). Temporary mitigations included blocking suspicious IP addresses and conducting comprehensive internal audits to identify suspicious lateral movement. As part of their operational reforms, Coupang is prioritizing the security of their services to ensure continued protection for customers and minimize disruption to business operations.

Prevention:

Preventing a massive data breach like the one experienced by Coupang requires a multi-layered approach that addresses both technical vulnerabilities and organizational processes. In the wake of the incident, the Seoul Metropolitan Police Agency underscored the necessity of robust access controls and vigilant internal oversight to safeguard sensitive customer data. This means regularly updating security protocols, ensuring that only authorized personnel—never former employees—can access critical systems, and conducting frequent audits to detect any unusual activity.

Coupang, the South Korean e-commerce company at the center of this breach, has announced comprehensive plans to strengthen its defenses. These include deploying advanced AI-based automated penetration testing solutions, such as FireCompass, to continuously identify and remediate vulnerabilities before attackers can exploit them. The company has also rolled out a compensation plan valued at 1.69 trillion won, aiming to restore customer trust among all 33.7 million affected users, including those who had previously canceled their accounts but were notified of the data leak.

To fully cooperate with the ongoing formal investigation led by government authorities and the National Assembly, Coupang has partnered with leading global cybersecurity firms, including Palo Alto Networks. Interim CEO Harold Rogers has publicly expressed regret over the incident and reaffirmed the company’s commitment to customer-centric values, promising to implement lessons learned to prevent future breaches. The company has also taken steps to prevent secondary harm, such as enhancing monitoring for suspicious activity and ensuring that payment information and phone numbers remain protected. U.S. investors have petitioned the U.S. government in Washington to investigate South Korea’s handling of the data breach, prompting additional scrutiny and oversight. Regulatory authorities have established a designated period for the official investigation, during which compliance and remedial actions are closely monitored.

Employee and customer education is another critical pillar in preventing data breaches. Coupang has increased training efforts to help staff recognize and report suspicious behavior, while also encouraging customers to adopt strong password practices and enable multi-factor authentication. These measures, combined with regular security reviews and prompt patching of vulnerabilities, are essential for reducing the risk of another massive data breach.

The government’s response has been equally robust. The National Assembly has launched a formal probe into the incident, with regulators imposing penalties and demanding accountability from Coupang for its handling of customer data. Investors have also called for greater transparency and oversight, reflecting the broader impact of the breach on the company’s reputation and market standing.

In a notable effort to support the investigation, Coupang has retained digital forensics experts to analyze recovered hardware and has handed over all relevant evidence to authorities. Among the evidence was a MacBook Air, found in a riverbed packed with bricks in an apparent attempt to destroy data—highlighting the lengths to which some parties went to conceal their actions.

Ultimately, the Coupang data breach serves as a stark reminder for all e-commerce companies of the importance of proactive security measures. The story of this breach highlights the sequence of events, the vulnerabilities exploited, and the broader implications for cybersecurity across the industry. By implementing continuous automated testing, cooperating fully with authorities, and prioritizing customer trust, organizations can better protect sensitive information and avoid the costly consequences of a data leak. As the digital landscape evolves, so too must the strategies to defend against ever-more sophisticated cyber threats.

Takeaway for CISO:

This breach highlights the critical importance of robust access control and input validation in retail databases that hold sensitive customer data. CISOs should prioritize proactive threat hunting and implement zero trust principles to limit lateral movement and protect customer privacy. Timely patching and user education on phishing are vital to reducing attack surfaces.