Home > Business > Industry

Coupang denies user details sold on Chinese platforms as lawmakers keep questioning beleaguered firm

Published: 03 Dec. 2025, 23:16

A Coupang customer is seen changing their card information on the e-commerce platform on Dec. 3, as concerns about secondary damage from the personal information leak of approximately 33.7 million Coupang users continue to rise. [NEWS1]

Coupang denied that reports of its user accounts being sold online on Chinese shopping platforms are tied in any way to the company’s recently disclosed data breach, saying the two issues are unrelated.

During an emergency parliamentary inquiry by the National Assembly’s Science, ICT, Broadcasting and Communications Committee on Tuesday, People Power Party Rep. Kim Jang-kyom raised allegations that Coupang accounts were being sold for between 23 and 183 yuan ($3 to $25) on Chinese e-commerce platforms.

“When I expressed interest in purchasing a Coupang account, the seller said it could be delivered immediately,” Kim said. “When I asked if it was hacked from a Korean user, the seller replied, ‘Then buy from someone else,’ and ended the conversation.”

“While we can’t trust everything the seller says, the chat clearly refers to ‘verified accounts,’” said Kim. “If login–enabled accounts are being traded, doesn’t that imply that login credentials have been leaked?”

In response, Coupang CEO Park Dae-jun said, “I’m not aware of this particular case, but the recent breach was not carried out by infiltrating our company’s systems or accounts. A former employee accessed the system by posing as a regular user of Coupang’s services.”

Coupang Chief Information Security Officer (CISO) Brett Matthes added, “I have not been made aware of this specific example, but in general, they are many dark web sources selling accounts to many e-commerce providers.”

Coupang CEO Park Dae-jun, left, and Coupang CISO Brett Matthes are seen during a meeting of the National Assembly's Science, ICT, Broadcasting and Communications Committee in western Seoul on Dec. 2. [LIM HYUN-DONG]

“Some of [them] are fabricated accounts, others of which are accounts where the credentials have been stolen by a variety of means, generally from the cookies of clients computers,” Matthes added. “So we will look into this definitely, but it is not necessarily indicative or related to the current threat actor.”

Rep. Kim Jang-kyom asked Kim Seung-joo, a professor of information security at Korea University’s Graduate School of Privacy & Data Protection, who was also present at the parliamentary questioning, whether Matthes’s explanation was plausible.

“Coupang says that only user IDs and authentication tokens were leaked, meaning accounts couldn’t be traded like that,” Prof. Kim Seung-joo said. “But if internal controls failed and both IDs and passwords were leaked, it would be technically possible.”

Coupang CEO Park Dae-jun answers lawmakers’ questions during a parliamentary inquiry into the company’s recent data breach at the National Assembly’s National Policy Committee on Dec. 3. [YONHAP]

Rep. Kim Jang-kyom followed up by asking, “Park said there’s been no secondary damage, but according to Prof. Kim, this could be a form of secondary damage — isn’t that right?”

“I’m not denying the possibility of secondary damage,” Park replied. “But if that’s the case, I question why someone would pay for a Coupang account in the first place.”

Meanwhile, at a separate inquiry held Wednesadyby the National Assembly’s Political Affairs Committee, Park said the company is actively reviewing options to compensate victims of the data breach.

As for the scope and timing of any compensation, Park said, “We haven’t looked into the legal aspects yet. When I say ‘victims,’ I mean those who’ve actually been harmed,” indicating that compensation would be considered for those directly affected by the breach.

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY HYEON YE-SEUL [[email protected]]