Seoul police are investigating two separate email accounts potentially connected to the leak of 33.7 million Coupang customer records. The investigation began after threatening emails were sent to both Coupang’s customer service center on November 25 and individual customers on November 16, with some messages containing personal details like names and addresses. Police have obtained IP addresses linked to the emails and are conducting an international investigation. The breach reportedly involved outdated security credentials, with allegations that a former developer continued accessing internal systems for five months after leaving the company using authentication keys that were never revoked. Initial reports confirmed 4,500 accounts were compromised, but the scope expanded to 33.7 million records. No phishing or smishing scams have been reported yet, but authorities are monitoring the dark web for signs of data trading.
Overview of the Data Breach
One of South Korea’s largest e-commerce platforms, Coupang, is at the center of a massive cybersecurity incident involving the personal information of 33.7 million customer accounts. The breach represents one of the most significant data security failures in the country’s e-commerce history, affecting millions of users who trusted the platform with their personal details.
The leaked information potentially includes customer names, addresses, contact information, and other personal data stored within Coupang’s systems. This exposure puts millions of customers at risk of identity theft, phishing attacks, and other forms of fraud that commonly follow large-scale data breaches.
Police Investigation and Email Tracking
The Seoul Metropolitan Police Agency’s cybercrime unit is actively pursuing leads in this complex investigation. Authorities have identified two distinct email accounts used to send threatening messages related to the breach:
Email to Coupang Customer Service (November 25):
- Sender claimed to possess user personal information
- Demanded stronger security measures
- Threatened to expose the breach to media
- No ransom demand was made
Emails to Individual Customers (November 16):
- Messages contained actual personal details including names and addresses
- Multiple customers filed complaints with Coupang
- Demonstrated the attacker had access to genuine customer data
According to police officials, investigators have successfully obtained the IP addresses associated with both email accounts and launched an international investigation to track down the perpetrator. The investigation is now focused on determining whether both email accounts belong to the same individual and whether that person is directly responsible for the data leak itself.
Timeline of Events
The Coupang data breach unfolded over several weeks, with key developments revealing the scope and severity of the incident:
- November 16, 2025 – Multiple Coupang users received threatening emails containing their personal information
- November 18, 2025 – Coupang acknowledged that 4,500 user accounts had been compromised and launched an internal investigation; police began preliminary investigation after receiving Coupang’s report
- November 25, 2025 – Coupang’s customer service center received a threatening email from a different account; Coupang filed a formal complaint with police for violating the Act on Promotion of Information and Communications Network Utilization and Information Protection
- November 28, 2025 – Police questioned Coupang representatives as part of the investigation
- December 1, 2025 – The full scope was revealed with 33.7 million customer records potentially compromised; allegations emerged about security vulnerabilities involving a former employee
Security Vulnerabilities Exposed
The investigation has uncovered serious security flaws in Coupang’s internal systems that may have enabled this massive breach. Representative Choi Min-hee of the National Assembly’s Science, ICT, Broadcasting and Communications Committee revealed critical information about authentication system weaknesses.
Key Security Failures Identified:
- Outdated Authentication Credentials: The breach allegedly involved a developer responsible for Coupang’s authentication system who maintained access to internal servers for approximately five months after leaving the company
- Long-Lived Authentication Keys: Coupang documents submitted to the National Assembly stated that authentication key validity periods are commonly set at five to 10 years
- Failure to Revoke Access: Even after an employee’s departure, valid authentication keys could be used to generate new access tokens, allowing continued unauthorized access
- Inadequate Key Management: Coupang reportedly failed to revoke or update the authentication key upon the developer’s resignation
According to officials from Representative Choi’s office, these authentication keys function like stamps for generating access tokens. Even when a token is deactivated after someone leaves the company, a still-valid authentication key can be exploited to create new access credentials.
Customer Impact and Risk
The exposure of 33.7 million customer records creates significant risks for affected individuals. While no phishing or smishing scams have been reported in connection with the leaked data as of December 1, the potential for criminal exploitation remains high.
Potential Risks for Affected Customers:
- Identity theft using exposed personal information
- Targeted phishing emails claiming to be from Coupang
- Smishing attacks via text messages
- Social engineering attempts using leaked data
- Account takeover attempts on other platforms where customers reused passwords
- Financial fraud if payment information was compromised
The National Office of Investigation has stated it is actively working to prevent follow-up crimes by monitoring the dark web for signs that stolen data is being traded or sold. Authorities are also tracking the spread of misinformation and fake news related to the incident.
Coupang’s Response and Actions
Coupang has taken several steps in response to the breach, though questions remain about the adequacy and timeliness of these measures.
The company launched an internal investigation immediately after customers began reporting threatening emails containing their personal information. On November 18, Coupang publicly acknowledged that 4,500 accounts had been compromised, though this number would later prove to be a significant underestimate of the breach’s true scope.
On November 25, Coupang filed a formal complaint with police requesting an investigation into violations of data protection laws. The company cooperated with authorities by providing log records for analysis and submitting to questioning on November 28.
However, Coupang has declined to comment on specific details about the validity period of the authentication key allegedly used in the breach, citing the ongoing police investigation. This lack of transparency has drawn criticism from lawmakers and security experts who believe customers deserve full disclosure about the vulnerabilities that led to their data being exposed.
What Customers Should Do Now
If you are a Coupang customer, taking immediate action to protect your personal information is essential. Here are the critical steps you should follow:
Immediate Actions:
- Change Your Coupang Password – Visit Coupang’s website immediately and update your password to a strong, unique combination
- Enable Two-Factor Authentication – If Coupang offers this feature, activate it for an additional security layer
- Update Passwords on Other Accounts – If you reused your Coupang password elsewhere, change those passwords immediately
- Monitor Your Accounts – Regularly check your Coupang account for unauthorized activity or unfamiliar purchases
Ongoing Protection Measures:
- Be skeptical of emails or messages claiming to be from Coupang, especially those requesting personal information or urgent action
- Do not click links in unsolicited emails – instead, type the Coupang website address directly into your browser
- Watch your financial statements for unauthorized transactions
- Consider placing a fraud alert or credit freeze with credit bureaus
- Report any suspicious emails or messages to Coupang and local authorities
- Stay informed about updates from Coupang regarding the breach investigation
Red Flags to Watch For:
- Emails asking you to verify account information
- Messages with urgent language pressuring immediate action
- Communications requesting payment or financial information
- Texts or calls claiming your account has been compromised
- Requests to download attachments or software