Coupang Offers Advisory After Recent Data Breach, Security Expert Warns of Dangerous Fallout
Breach Reportedly Compromised Over 33 Million Accounts, Exposing Names, Email Addresses, and More

South Korea’s largest e-commerce platform, Coupang, was recently hit by a data breach that reportedly affected some 33.7 million local customers. Coupang, in a statement, admitted it first became aware of the breach on November 18 and that it has reported the incident to authorities.
Regarded as the Amazon of South Korea, Coupang had over 24 million active customers in the third quarter of 2025 alone. According to the company, the breach, which exposed customer names, e-mail addresses, phone numbers, shipping addresses, and certain order histories, may have begun as early as June 24. Coupang maintains that payment details or login credentials were not compromised.
“We promptly reported the incident to relevant authorities as soon as we became aware of the breach and are currently cooperating with the Ministry of Science and ICT, the Korean National Police Agency, the Personal Information Protection Commission, the Korea Internet & Security Agency, and the Financial Supervisory Service to conduct an investigation into the case,” Coupang said in a statement.
Coupang Releases Revised Notice
Upon orders from the Personal Information Protection Commission, Coupang has released a new advisory changing the description of the incident from personal information “exposure” to “breach” and outlining the scope of all affected information.
“An incident involving the breach of customers’ personal information has occurred…,” Coupang said in the new notice. “No new leakage has taken place, and this notice is intended to provide guidance on precautions to prevent further damage, such as impersonation or phishing, related to the personal information leak that we have notified since November. 29.”
As part of the revised advisory, Coupang has instructed customers not to click on links from unknown sources and to report to relevant authorities any suspicious activities.
Coupang Breach a Referendum on Identity Security
It has previously been reported that the Coupang breach was precipitated by internal credentials being used illicitly. This, according to Takanori Nishiyama, Senior Vice President, APAC, and Japan Country Manager at Keeper Security, proves yet again why organisations need to beef up identity security to complete their perimeter defence.
“The reported breach impacting tens of millions of Coupang customers is a clear reminder that identity security, not perimeter defence, is the defining weakness in many large-scale incidents today,” Nishiyama told Cybersecurity Asia. “If initial reports prove to be the case, which suggest the incident involved unauthorised use of internal authentication credentials, it reveals how quickly exposure can escalate when privileged access is not tightly governed.”
Nishiyama is thus recommending that organisations, especially those operating at the scale of major e-commerce platforms, strictly manage privileged access through its lifecycles, where access rights are revoked the moment an employee leaves or changes roles. Additionally, authentication tokens, keys, and passwords, according to the Keeper Security executive, should never remain active beyond their intended use.
“We continue to see the same pattern right across the APAC region, with both internal and external threat actors leveraging compromised or outdated credentials, unrevoked access rights, and weaknesses in identity governance,” Nishiyama added. “It is an entry point that allows cyber attackers to move through systems undetected, because it relies not on complex attack methods but systemic vulnerabilities that persist when privileged access controls are inconsistently enforced.”
The Next Step for Customers
While Coupang continues to sort out this mess and work on its security mechanisms, Nishiyama warns affected customers that they could be potential victims of targeted phishing, account-takeover attempts, and identity fraud moving forward.
As such, he echoed Coupang’s earlier advice to treat unsolicited communications with extreme caution. He also advises the company’s customers to “avoid password reuse across accounts and enable multi-factor authentication wherever possible.”



