my timesThe Korea Times
  1. Business

You may have been affected by Coupang's data breach. Here’s what you should do

Listen
By Kwak Yeon-soo
  • Published KST
A notice from Coupang on Saturday about its recent data breach is seen on a mobile phone screen. Yonhap

A notice from Coupang on Saturday about its recent data breach is seen on a mobile phone screen. Yonhap

On Saturday, e-commerce giant Coupang confirmed a data breach that potentially impacted 33.7 million customer accounts. Although the data breach is believed to have begun as early as June through servers overseas, Coupang failed to detect the cyber intrusion for five months.

What caused the data breach?

A former employee, A Chinese national who quit in December 2024, is suspected of being behind the breach. Appearing at a parliamentary session on Tuesday, Coupang CEO Park Dae-jun said the suspect had worked as a developer on the company’s authentication and system access management team. The attacker is believed to have extracted customer information after leaving the company, by exploiting authentication tokens and a signing key. An authentication token acts like a temporary access pass issued after a user logs in, and a signing key is used to create and verify those tokens.

Coupang failed to revoke or rotate the signing key even after the employee’s departure, exposing a serious gap in the company’s cybersecurity controls. “The suspect could be an individual or multiple people,” Park said, declining to provide further details due to the ongoing police investigation.

Who’s affected?

Around 33.7 million accounts — presumably all Coupang customers — were affected by the breach. Personal information, including names, phone numbers, email addresses, delivery addresses and, for some, purchase histories, were accessed. Coupang warned its users to stay alert to scams impersonating the company.

So far, multiple users say they have discovered unfamiliar login attempts from overseas IP addresses appearing in their account activity, raising concerns about a potential security breach. Some also say they have received unusual payment or login-attempt notifications as well as alerts indicating suspicious account activity originating from outside Korea.

What you should do

Although Coupang insists that login credentials and credit card information remain secure, experts caution that users should nonetheless brace for potential worst-case outcomes.

Kim Seung-joo, a professor at Korea University School of Cybersecurity, advised users to do the following:

1. Delete credit card number
2. Change Coupang account password
3. Reset credit card password

Some affected consumers have already begun canceling their Coupang accounts. However, many report that the six-step terminating process is overly complex and inconvenient. Some customers are even preparing a collective legal action against Coupang. About 14 Coupang users filed a damages suit at Seoul Central District Court on Monday, demanding 200,000 won ($136) each in compensation.