Coupang data breach affecting virtually every user draws apology from CEO

Home > National > Social Affairs

Coupang data breach affecting virtually every user draws apology from CEO

Published: 30 Nov. 2025, 17:19 Updated: 30 Nov. 2025, 20:11

MICHAEL LEE
[email protected]

Audio report: written by reporters, read by AI

Coupang CEO Park Dae-jun bows in apology over the company’s massive data leak at the Central Government Complex in Jongno District, central Seoul, on Nov. 30. [YONHAP]

A major vulnerability in the database of popular online shopping platform Coupang allowed an intruder to access the personal information of more than 30 million users without a valid login, according to Vice Prime Minister and Science and ICT Minister Bae Kyung-hoon on Sunday.

Speaking at an emergency meeting with Coupang CEO Park Dae-jun and officials from various ministries at the Central Government Complex in Seoul in the afternoon, Bae confirmed that the intruder “abused an authentication loophole in Coupang’s server” and extracted names, emails, phone numbers and addresses tied to customers’ accounts.

The vice prime minister added that the government “deeply regrets that such incidents have occurred even at a major platform widely used by the public.”

The breach, which authorities believe began in June, went undetected until Nov. 18, when Coupang launched an internal investigation into suspicious activity within the company’s database. The company first announced that just 4,500 accounts were affected, but revised that number days later to 33.7 million — a figure surpassing the active user base of Korea’s dominant online retailer.

Considering that about 24.7 million people use the platform on a regular basis, officials say the leak likely includes data from former users as well, meaning nearly anyone who has ever shopped on the platform could be affected.

In a statement to reporters before the meeting, Park publicly apologized, saying the company was “deeply sorry for causing concern for customers who were affected and the public.” He said Coupang would “work quickly to identify the cause” and “closely cooperate” with investigators to prevent additional harm.

Park added that the breach was limited to “customer names, emails, phone numbers, delivery addresses and some order histories,” and that “payment information, credit card information and customer login information were not included.”

Authorities are examining whether Coupang failed to comply with mandatory security obligations, given the length of time the breach went undetected. Bae said investigators began on-site inspections immediately after the company filed a criminal complaint with police on Tuesday.

Vice Prime Minister and Science and ICT Minister Bae Kyung-hoon speaks at an emergency meeting at the Central Government Complex in Jongno District, central Seoul, on Nov. 30. [YONHAP]

Although Coupang initially insisted “there were no signs of intrusion from outside the company’s internal networks,” police are now investigating the possibility that a former Chinese employee who left the company last month may have extracted the data from overseas.

A police official said authorities were “leaving all possibilities open and verifying the exact circumstances of the leak.”

The incident is already drawing comparisons to the 2011 breach of then-popular social media platform Cyworld, which exposed the personal details of about 35 million users.

Public frustration is mounting as Coupang customers describe slow or confusing notifications of their exposure. The company has sent text alerts to customers warning that their personal data had been exposed, but some users say they received the alerts days after others.

While the full scope how the leaked information could be misused remains unknown, the fallout has already begun.

Since the data breach became widely known, online communities have formed to organize a class-action lawsuit. Some customers have also posted screenshots confirming they had canceled their accounts.

BY MICHAEL LEE [[email protected]]