Coupang CEO Apologizes After Ex-Employee Access Key Enables Massive Data Breach Affecting 33 Million Customers
Published on December 1, 2025
Key Takeaways
- Massive scale: The personal data of over 33 million customers was exposed in what is being called South Korea's worst data breach in more than a decade.
- Suspected cause: It may have stemmed from the abuse of authentication vulnerabilities via a former employee's account with an active access key.
- Legal ramifications: Coupang is now facing a police investigation and the prospect of a major class-action lawsuit from affected customers.
South Korean e-commerce leader Coupang is at the center of a major investigation after suffering a massive data breach that exposed the personal information of more than 33 million customers. The incident, believed to have started on June 24 through overseas servers, was not discovered by the company until November 18.
Authentication Vulnerability and Suspected Insider Threat
According to South Korea's Science Minister, cited by Reuters, the attackers "abused authentication vulnerabilities" in Coupang's systems. A leading theory points to a former Chinese employee who was responsible for authentication tasks.
It is suspected that this individual used an authentication key that was not deactivated after their employment contract was terminated, allowing them to gain access to the Coupang customer data leak.
South Korean police said on Monday they are now tracing IP addresses and examining potential server vulnerabilities as part of their inquiry.
The breach exposed:
- customer names,
- email addresses,
- phone numbers,
- shipping addresses,
- some order histories.
Yet, payment details and login credentials were not compromised.
Reports say that on November 30, Coupang sent a text message to affected customers to apologize and announce that it had blocked the intrusion and would strengthen monitoring.
While police have not confirmed a suspect, the focus on insider access highlights a critical security lapse. Authorities are investigating whether Coupang violated regulations regarding the protection of personal information.
Potential for Coupang Class-Action Lawsuit
The fallout from the Coupang data breach is growing, with significant legal and financial consequences on the horizon. As of Monday, Reuters reported that over 10,000 individuals have expressed intent to join a potential Coupang class-action lawsuit.
Legal representatives suggest the compensation sought could exceed 100,000 won ($68) per person, potentially leading to substantial financial penalties for the e-commerce giant.
Last week, Comcast was fined $1.5 million by the FCC following the 2024 data breach at debt collector FBCS that exposed customer information, and a few days earlier, DoorDash disclosed an October data breach caused by a social engineering scam.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular