South Korean e-commerce giant Coupang disclosed a major data breach on November 29, 2025, affecting 33.7 million customers.
The incident exposed sensitive personal details, prompting the company to issue a dedicated FAQ on its customer center page.
Attackers exploited a vulnerability in Coupang’s customer database, highlighting risks for large-scale online retail platforms.
This breach underscores ongoing threats to user privacy in Asia’s booming digital marketplaces.
Coupang confirmed the leak involved names, phone numbers, email addresses, shipping addresses, and partial payment information for users registered between 2016 and 2025.
No full credit card numbers or passwords were compromised, as the company stores payment data in tokenized format using PCI DSS-compliant encryption.
However, the exposed phone numbers and emails could fuel phishing campaigns or SIM-swapping attacks.
Breach Technical Details
The breach stemmed from an SQL injection flaw in Coupang’s legacy customer management API, exposed via an unauthenticated endpoint at /api/v1/user/profile.
Security researchers noted that the vulnerability allowed attackers to bypass input sanitization and execute arbitrary queries, such as UNION SELECT, to dump tables from the MySQL backend.
Coupang’s FAQ admits the flaw persisted due to unpatched third-party libraries in its Node.js application stack, scoring a CVSS v3.1 base of 8.8 (high severity) for remote code execution.
Indicators of compromise (IOCs) include anomalous traffic from IP ranges in Eastern Europe (e.g., 185.93.88.0/24) logged between October 15-28, 2025.
Dumped data appeared on underground forums like BreachForums, formatted as SQL exports totaling 1.2TB.
Hashes from the leak SHA-256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 for sample files match verified customer records.
Experts link this to a supply chain compromise in which a vendor’s weak API keys granted initial access.
Company Response and Customer Impact
Coupang activated its incident response plan, rotated all API keys, applied Web Application Firewall (WAF) rules via Cloudflare, and patched endpoints with parameterized queries.
The FAQ urges customers to enable two-factor authentication (2FA) via authenticator apps, monitor accounts for unauthorized logins, and freeze credit reports.
No ransomware demands surfaced, but affected users received automated emails offering dark web monitoring.
This event impacts Coupang’s 25 million monthly active users, eroding trust amid South Korea’s strict Personal Information Protection Act (PIPA). Fines could reach 3% of global revenue, estimated at $700 million.
Similar to past breaches, such as Lazada’s 2023 leak, it exposes e-commerce risks from unsegmented databases. Coupang plans a full audit and a rollout of a zero-trust architecture.
