Nearly 34 million customers of South Korea-based e-commerce platform Coupang had their personal information leaked in a data breach that persisted undetected for more than five months, the company disclosed over the weekend.
Coupang initially detected an unauthorized access incident affecting 4,500 users on November 18, but a follow-up investigation uncovered that the breach had actually compromised approximately 33.7 million customer accounts in South Korea.
According to the company, the exposed data includes names, email addresses, phone numbers, shipping addresses, and some order histories. Coupang stated that more sensitive information—such as login credentials and payment or credit card details—was not exposed in the incident.
The company said in a statement that it had reported the breach to the Korea Internet Security Agency (KISA), the Personal Information Protection Commission (PIPC), and the National Police Agency. “According to the investigation so far, it is believed that unauthorized access to personal information began on June 24, 2025, via overseas servers,” Coupang said in a statement. The company added that it had blocked the unauthorized access route, bolstered internal monitoring, and brought in a third-party cybersecurity firm.
A Coupang spokesperson told TechCrunch that systems linked to its Taiwan-based Rocket Now service and its Japanese operations were unaffected.
South Korean authorities have identified a suspect in their ongoing investigation: a former Chinese Coupang employee who is currently abroad, according to reports.
This incident is the latest in a series of cybersecurity breaches affecting South Korean firms. Coupang itself has previously experienced data leaks, including incidents between 2020 and 2021, as well as a December 2023 breach involving its seller management system, which exposed data of more than 22,000 users.
