South Korea’s biggest online retailer, Coupang, has confirmed a massive data breach that exposed the personal information of almost its entire customer base. Regulators are calling it one of the largest hacks the country has ever seen, and an official investigation is now underway.
What exactly happened
Coupang detected suspicious access to its systems on 18 November 2025 and later confirmed that an attacker had been inside the network for months, starting around 24 June. During that time, the intruder was able to copy data linked to approximately 33.7 million customer accounts.
The leaked information includes names, phone numbers, email addresses and shipping addresses. In some cases, partial order history may also have been exposed. Coupang says that payment card details and passwords were stored separately and were not accessed, but authorities are still reviewing the full scope of the breach.
Local media report that investigators are looking at the possible involvement of a former employee who may have abused internal knowledge to gain access via overseas servers.
Services affected
The breach affects virtually every core part of Coupang’s e-commerce platform:
- Retail customer accounts used for shopping and deliveries
- Saved contact details and shipping addresses
- Order metadata linked to specific users
- Associated marketing and notification systems that rely on email and SMS
The company’s “Rocket Delivery” same-day service and app-based shopping continue to operate, but the trust layer around customer data handling has taken a significant hit.
Why this matters
Coupang is often described as “South Korea’s Amazon” and is deeply embedded in everyday life for tens of millions of people. A breach of this scale means that a huge portion of the population is now vulnerable to phishing, scam calls and highly targeted fraud that uses real personal details to appear legitimate.
It also raises serious questions about how long the attacker remained undetected. Five months of unauthorized access suggests monitoring, logging and anomaly detection either failed or were not being acted on quickly enough. Regulators are already examining whether Coupang met its legal obligations under local data-protection rules.
For other e-commerce platforms globally, this incident is another warning that customer databases are now prime targets and that detection speed is just as important as perimeter security.
What users should do now
Coupang customers should assume that their basic personal information is in the wild and act accordingly:
- Be extremely cautious with unexpected calls, emails or SMS messages mentioning Coupang orders or refunds.
- Never click payment links sent by message — instead, open the official app or website directly.
- Monitor bank and card statements closely for unusual activity, even though payment data is claimed to be unaffected.
- Consider updating passwords on other services if the same email/phone number combination is reused elsewhere.
External sources
Reuters — Coupang says 33.7 million customer accounts breached
The Straits Times — Details on the scale of the breach
Korea JoongAng Daily — Local reaction and regulatory response
The incident is likely to trigger tighter enforcement of data-protection rules in South Korea and renewed pressure on major platforms to reduce how much sensitive information they store in centralized databases.
