Home > Business > Tech

Hacked user data from Coupang could be used for scams, identity theft: Authorities

Published: 01 Dec. 2025, 07:00

A text from Coupang informs a customer that their data has been leaked, on Nov. 30. [KIM HYUN-DONG]

Roughly 33.7 million Coupang user accounts were affected in a massive data breach, raising concerns over potential secondary crimes, including phishing scams and identity theft.

Coupang disclosed on Saturday that personal information from approximately 33.7 million customer accounts had been leaked without authorization. The compromised data includes names, phone numbers, delivery addresses, email addresses and some order details.

A Coupang spokesperson stressed in a phone call that “payment information, credit card numbers and login passwords were not leaked and remain securely protected," but authorities and experts warn that even limited personal data can be used in various types of fraud, such as text messaging fraud and voice phishing, stock trading scams, account takeovers and credit or identity fraud.

On Saturday, the Ministry of Science and ICT, the Personal Information Protection Commission and the Korea Internet and Security Agency (KISA) issued a nationwide security alert, urging the public to beware of fraudulent messages promising refunds or compensation and attempts to trick users into installing remote control programs on their phones or computers.

On social media and online forums, users have voiced anxiety over secondary risks. Some said they were proactively changing their personal customs clearance codes — unique ID numbers required for overseas purchases — or quitting the platform altogether. Others raised concerns that, because Coupang delivers directly to customers' doors, even shared entry codes to buildings may have been compromised.

Experts advise that users immediately change any data that can be updated. KISA said that once account data is leaked, it is often sold and misused repeatedly without the user's knowledge. One common method is credential stuffing — a cyberattack where stolen usernames and passwords are tested on other sites to hijack accounts.

Coupang headquarters in Songpa District, southern Seoul, is seen on Nov. 30, a day after the company announced that data from 33.7 million customer accounts has been leaked. [WOO SANG-JO]

“Attackers could combine the information leaked from Coupang with details from previous breaches, like the one at Lotte Card in August that included card numbers, PINs and resident registration numbers,” said Youm Heung-youl, a professor of cybersecurity at Soonchunhyang University. “Anyone using the same password across Coupang and other online services should change all of them immediately and enable two-factor authentication where possible.”

Hwang Suk-jin, a professor at Dongguk University’s Graduate School of International Information Security, warned that phone numbers may be used by criminals to add users as friends on KakaoTalk, download profile images and even create deepfake content.

Others said users should immediately change any address-related details, including entry codes to apartment buildings. Kwon Hun-yeong, a professor at Korea University’s Graduate School of Information Security, said, “Coupang’s service is integrated across online and offline operations. If this data falls into the hands of criminal networks, it could lead not only to phishing but also to stalking and other crimes.”

Posts expressing similar fears — such as “I’m afraid someone might enter behind me after I type the door code” — have appeared on local parenting forums and on X, formerly Twitter.

A Coupang delivery truck is seen at a company garage in Seoul on Nov. 30. [YONHAP]

To calm growing public concern, experts are calling on Coupang and government agencies to preemptively share updates on the situation and disclose additional risks transparently. “Investigations into data leaks can take more than two to three years, especially if international cooperation is lacking,” said Prof. Hwang. “During that time, it’s crucial to disclose any further leaks or secondary damage to rebuild public trust.”

Amid speculation that the breach may have been carried out by an insider with Chinese ties, some far-right online communities have spread conspiracy theories claiming that China orchestrated the attack to undermine Coupang and push users toward Chinese e-commerce platforms like AliExpress and Temu.

On Sunday, Vice Prime Minister and Science Minister Bae Kyung-hoon announced that the government will begin a three-month intensive campaign to monitor personal data exposure and illegal online distribution starting immediately.

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY KIM JEONG-JAE [[email protected]]