What You Need to Know about the Coupang Data Breach

Coupang, a company listed on the NYSE, is South Korea’s largest online retailer and is headquartered in  Seattle. It serves millions of customers in over 190 countries, including the United States, offering retail, video streaming, restaurant delivery, and fintech services worldwide under various brands.  

With approximately $4 billion of U.S. goods sold annually in at least 190 countries, it is not surprising that Coupang became the target of a massive data breach that affected nearly its entire user base. This breach, which involved the personal data of 33.7 million customers in Korea, has riled consumers who rely heavily on Coupang’s services every day, from early morning breakfast deliveries to groceries.

The Coupang data breach, linked to MITRE ATT&CK techniques T1078 and T1059, exposed personal information, including full names, email addresses, phone numbers, physical addresses, and order details of the 33.7 million affected customers. The company states that no payment information or passwords were exposed or compromised in the incident. According to reports, the breach was likely the result of phishing or credential compromise, with SQL injection used to exploit input validation flaws.

After discovering the breach, the company confirmed it immediately blocked unauthorized access, enhanced internal monitoring, and notified relevant authorities in Korea, including the Personal Information Protection Commission and the Ministry of Science and ICT. The National Police Agency and the Korea Internet Security Agency were also notified. While there are no potential fraud risks related to direct financial theft, the Coupang data breach incident poses significant privacy concerns. 

When Was the Coupang Data Breach?

Although the Coupang data breach incident came to light on November 18, 2025, the threat actors were said to have gained access to the company’s system on June 24, 2025, via overseas servers. Unfortunately, it remained undetected for nearly five months. The company, in a notice published on its website on December 6, 2025, says it is investigating the incident in cooperation with relevant authorities.

According to several online reports, the cyberattack has been attributed to a former Coupang employee, a former Chinese national who formerly worked on the company’s authentication system. The attacker allegedly exploited a critical infrastructure failure and created fraudulent access tokens that enabled unauthorized access to the company’s system. Once created, the threat actor was able to bypass standard security authentication procedures with the tokens, enabling it to log in from overseas locations without setting off normal security alerts.

How to Check If Your Data Was Breached

Coupang had initially notified affected users of the recent data breach, describing it as personal information exposure, even when it was aware that such data was leaked. However, following a government order, the company has updated its notice to describe the data incident as a breach. The updated notice was communicated via a text message to the 33.7 million customers whose data was leaked due to the data incident. You must have received this message if you were affected by the breach.

You can also check if your data was leaked in the Coupang data breach through breach-check services that collect data from the dark web and known breaches. These websites allow anyone to search if their information has appeared in any data breach using their username. Furthermore, check your email accounts and social media accounts for any suspicious activity. For example, any email in your sent folder that you did not initiate or a login history from an unrecognized device or location may indicate that your data has been leaked in the Coupang incident.

Another way to find out whether your data was breached is through your credit reports. If you spot new accounts or loans that you did not initiate in your credit reports, there is a high chance your data was leaked in the data security incident.   

What to Do If Your Data Was Breached

If your personal data got leaked in the recent Coupang data breach, you have a duty to be extra vigilant, particularly in interacting with text messages or emails from unidentified sources. Avoid clicking on links of unclear origins, even if the messages claim to originate from the company. Any information sent by email or text messages via phone numbers or email addresses listed on Coupang’s Customer Center website is probably not from the company. Delete such communication and report it to the relevant authority.

You should also consider changing your Coupang account’s password and any other accounts where you have used the same password if you were impacted by the data incident. While doing that, be sure to use a strong, unique password and never use the same passphrase for each account.

Furthermore, you can check your credit reports for unfamiliar inquiries or accounts if your personal information was breached in the Coupang data incident. Whether or not there are unfamiliar accounts or other suspicious activity, consider a credit freeze immediately. This makes it harder for unauthorized parties to open new accounts in your name using leaked data. Also consider checking your financial accounts, including online payment platforms, banks, and credit cards, for any unauthorized or suspicious charges. If you find any, report it to your financial institution immediately.

Are There Any Lawsuits Because of the Data Breach?

There have been no substantiated lawsuits against Coupang regarding the recent data breach as of early December. However, a law firm in the United States, SJKP, the U.S. affiliate of South Korea’s Daeryun law firm, has announced their intention to file class actions against the company in collaboration with several hundred customers. Several other law firms in Korea are also mobilizing those affected in the data breach for possible class-action lawsuits. 

The company faces substantial legal and financial consequences. Regulators may impose fines up to 3% of Coupang’s average annual revenue for data protection violations, potentially reaching 1 trillion in penalties. This is in line with South Korea’s Personal Information Protection Act.

Can My Coupang Information Be Used for Identity Theft?

Yes. The Coupang data breach involved the exposure of full names, delivery addresses, phone numbers, and email addresses, all of which are valuable for criminals to steal the identities of the affected customers. For example, if you use the same password on your Coupang account as you do on other online accounts, such accounts are at risk of being compromised.

Similarly, any criminal with the leaked data could attempt to impersonate you, committing other forms of identity fraud or opening new accounts in your name. Furthermore, criminals can use the combination of leaked information to impersonate delivery services employed by Coupang to trick you into revealing additional confidential information through phishing calls or emails.

What Can You Do to Protect Yourself Online?

Following discovering the data breach, Coupang promptly advised caution against fake texts and calls pretending to be related to delivery drivers, part-time jobs, or product reviews. If you have shared entrance codes in your Coupang delivery address book, the company advises that you change the codes immediately.

The following are other ways to protect yourself online:

• Keep your personal information personal and away from social media accounts. If possible, lock down your privacy settings to prevent third parties from viewing information such as birthdays and addresses that cybercriminals can use to figure out your passwords.
• Create long, unique passwords and avoid reusing passwords across online accounts. Hackers can easily break weak passwords. So, rather than use common identifying information as passwords, use a string of mixed-case letters, special symbols, and numbers to create hard-to-guess passwords.
• Sign up for an identity protection service to monitor your financial or personal information for any potential threats on the dark web. 
• Install every update as soon as it is available on your internet devices and web browsers to fix security risks. Turning on automatic updates will enable your devices to install updates as soon as they arrive, even without your input.
• Turn on multi-factor authentication (MFA) to protect your online accounts. This provides extra security by confirming your identity when signing in to your account. The additional security may require you to enter a code generated by an authenticator app or a code texted to your phone, making it significantly safer for you online.
• Stay abreast of online scams and data breach incidents by constantly educating yourself through IDStrong.
• Beware of phishing scams that may use fraudulent websites and emails to trick you into disclosing login information or private accounts. Avoid opening any attachments or clicking on links from unfamiliar sources. 
• Protect your home Wi-Fi with a password and be careful about the kind of information you send over public wireless networks. Where possible, avoid connecting to public Wi-Fi networks.