Home > National > Social Affairs

A customer reported a suspicious email to Coupang. Then the platform announced a breach.

Published: 03 Dec. 2025, 16:31 Updated: 03 Dec. 2025, 16:44

The threatening email received by a Coupang customer, a 28-year-old surnamed Park, on Nov. 16 warned that his personal information had been leaked. [JOONGANG ILBO]

A suspicious email with the subject line “Your personal information may have been leaked” pushed a software developer surnamed Park into a decision he still describes as surreal: He reported it to Coupang, and the complaint helped bring to light what the company later said was a breach affecting tens of millions of users.

“I got chills when I saw the email saying my personal information had been leaked,” Park said. “I sat there stunned for an hour and a half, not knowing whether I should contact Coupang or report it to the police.”

The company appears to have only recognized the breach after Park’s report on Nov. 16.

According to the email, obtained by the JoongAng Ilbo, the compromised data included specific delivery instructions such as how to access front doors — a detail not mentioned in official disclosures filed by Coupang with the Korea Internet and Security Agency (KISA) or in text messages sent to affected users.

In its text messages sent to customers on Sunday, Coupang stated only that leaked data included “customer names, email addresses, shipping addresses [names, phone numbers, addresses] and order information.”

But the email Park received included precise access instructions for five delivery addresses he had used over the past five years, such as “Leave at the door [freely accessible].” One entry even included, “Leave the package on the table in front,” suggesting the leak extended to the most recent updates to delivery preferences.

The email was sent from “Yui Sato” via the address [email protected] and began in English: “Your personal data on coupang.com is under risk of potential disclosure.”

The leaked order history in the email also appears to be far more extensive than what Coupang reported to KISA. While the company told the agency at 10:52 p.m. on Nov. 18 that “the five most recent orders” per account had been compromised, Park’s email listed 15 items, including names of products, prices, order dates and quantities. His most recent purchase — a mixed snack set of chips — was among the leaked items.

The report made by a 28-year-old Coupang customer surnamed Park, who contacted customer service after receiving a threatening email on Nov. 16 claiming his personal information had been leaked. [JOONGANG ILBO]

Park said he spent about 90 minutes stunned after reading the email before reporting it to Coupang via customer service at around 10 p.m. on Nov. 16.

“I didn’t know what to do. I didn’t know whether I should contact Coupang or the police,” he said. “It was chilling. I felt like my mental state was breaking down.”

After the initial report, Park exchanged six rounds of messages with a Coupang representative, providing details of the breach and requesting information on how much of his personal data had been compromised. The next day, Coupang told him that the data of “about 4,500 users” had been exposed. No follow-up contact was made, he said.

Criticism has also been leveled at Coupang for its delayed response. Although the Act on Promotion of Information and Communications Network Utilization requires companies to report breaches within 24 hours of detection, Coupang filed its report with KISA just under the deadline, at 10:52 p.m. on Nov. 18. It was not until Saturday that the company announced 33.7 million user accounts had been affected.

Some customers did not receive notification texts until Sunday — nearly two weeks after Coupang became aware of the breach.

Park said his interest in cybersecurity helped him recognize the email as a threat. He uses a paid email filtering service that allows him to screen unknown senders.

“Given the nature of the breach, I don’t think I was the only one who received this kind of email,” he said. “Others may have missed it entirely.”

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY MOON SANG-HYEOK [[email protected]]