A government-private investigation team confirmed that 33.67 million user records were leaked in Coupang's major data breach. This dwarfs the company's initial claim of 3,000 affected accounts, with fines and further probes announced over delayed reporting and evidence mishandling.
A joint public-private probe into Coupang Korea's data breach, which occurred in November 2025, concluded on February 10, 2026, led by the Ministry of Science and ICT. The investigation confirmed that 33.67 million users' names and email addresses were leaked, with the company's delivery list page accessed 148 million times. This page contained names, phone numbers, delivery addresses, and anonymized apartment entrance passwords.
Coupang initially reported only 3,000 compromised accounts but later acknowledged an additional 165,000. The probe's findings of 33.67 million did not include this later figure. Hackers exploited a vulnerability in the authentication system by forging digital passes to access servers.
The ministry highlighted that Coupang became aware of the breach at 4 p.m. on November 17 but delayed reporting until 9:35 p.m. on November 19, violating the 24-hour disclosure rule. It plans to impose a fine of up to 30 million won (about $20,560) and launch a separate investigation for failing to preserve evidence, including missing web logs from 2024 and app records from May-June 2025.
Coupang must submit recurrence prevention measures this month, with inspections scheduled for June-July. The breach potentially affects nearly all of Coupang's user base, impacting about two-thirds of South Korea's population. The analysis reviewed 25.6 terabytes of web access logs.
