South Korean e-commerce platform Coupang over the weekend reported that nearly 34 million Koreans’ personal information had been leaked in a data breach that had been going on for more than five months.
The company said it first detected the unauthorized exposure of 4,500 user accounts on Nov. 18, but a subsequent investigation revealed that the breach actually compromised about 33.7 million customer accounts in South Korea.
The breach affected customer names, email addresses, phone numbers, shipping addresses and some order histories, according to Coupang. More sensitive data such as payment information, credit card numbers and login credentials were not compromised and remain secure, the company said.
Coupang said it has reported the incident to the Korea Internet Security Agency (KISA), the Personal Information Protection Commission (PIPC) and the National Police Service.
One of South Korea’s largest e-commerce platforms, Coupang also offers an express trade service called “Rocket Delivery” in the country and also operates its marketplace in Japan and Taiwan. A Coupang spokesperson told TechCrunch that the investigation found no evidence that consumer data from Coupang Taiwan or Rocket Now was affected by the data breach.
“Based on the investigation so far, it is believed that the unauthorized access to personal information began on June 24, 2025, through servers overseas,” the company said. “Coupang has eliminated the unauthorized access path, strengthened internal monitoring and retained expertise from a leading independent security firm.”
The police have according to information has identified at least one suspect, a former Chinese Coupang employee now overseas, after launching an investigation following a Nov. 18 complaint.
Techcrunch event
San Francisco
|
13-15 October 2026
This is the latest in a series of cyber security incidents in South Korea this year. Coupang itself has suffered several data breaches exposed customer and delivery driver information the previous years. Previous incidents included leaks between 2020 and 2021, and more recently in December 2023when its vendor management system compromised the personal information of more than 22,000 customers.
