South Korea says Coupang must address security loopholes in data breach probe

South Korea has launched a major cybersecurity probe after a massive data breach exposed the personal details of 33.7 million Coupang users, making it one of the country’s largest online security incidents. On February 10, 2026, regulators said the e-commerce giant must urgently fix serious security loopholes that allowed unauthorized access for several months. The breach, which ran from April to November 2025, involved stolen internal credentials used to bypass login systems. 

Authorities also criticized Coupang for delaying breach reporting, raising concerns about user safety and corporate accountability. With millions of customers affected, the case has sparked public outrage, regulatory pressure, and renewed debate over data protection standards in South Korea’s fast-growing digital economy.

What Triggered the Latest Coupang Security Investigation?

South Korea’s government has stepped up its probe into Coupang’s massive data breach. New findings show serious security loopholes. The attack went undetected for months. The Ministry of Science and ICT said about 33.7 million user records were exposed between April and November 2025. This is the largest e‑commerce breach in South Korea’s history. A former engineer stole an internal authentication key. He used it to make fake login tokens. This gave him access to customer accounts without normal authentication.

Investigators found that Coupang did not rotate security keys after the engineer left. The company also lacked systems to detect fake credentials. It reported the breach late, breaking South Korea’s information network law. Authorities have referred the case for further legal action.

Separate investigations by the police and the Personal Information Protection Commission are ongoing, and the ministry has formally demanded that Coupang introduce better detection and blocking systems for unauthorized access.

How Big Was the Coupang Data Leak?

The data breach at Coupang affected an estimated 33.7 million user accounts, a figure that represents nearly two‑thirds of South Korea’s population. This massive scale makes it one of the most significant commercial data exposures ever recorded in the country.

They're putting Rogers through hell, but they should sue the ROK government agencies first for past data breaches under Moon before they pick a fight over trivial procedural details. Coupang probably ranks as one of those few corps that actually made a report of the data breach… pic.twitter.com/vYAl7iZFfr

— Hermit (@clayjar) February 6, 2026

The compromised records included:

• Full names
• Phone numbers
• Email addresses
• Delivery addresses
• Apartment entrance codes stored in delivery details

Though the company says no payment or login passwords were leaked, authorities have raised alarms about how sensitive location data and personal contact information could be used in phishing and smishing scams or identity theft.

Coupang later disclosed an additional 165,000 accounts were part of the same breach, bringing the total to roughly 33.8 million affected users. The reclassified data was not from a second incident but part of the original breach investigation.

The scale and scope of this leak have made it a priority case for both regulators and law enforcement.

What Were the Main Security Failures Behind the Breach?

Investigators identified several major security failures that allowed the Coupang breach to occur and continue undetected:

Misuse of Internal Signing Key

A former internal engineer stole a sensitive authentication signing key, which was supposed to be revoked after the employee left. Instead, it remained valid and was used to generate fake login tokens, letting the attacker access user accounts without going through proper login checks.

Poor Detection Capabilities

Coupang’s systems lacked tools to detect forged login tokens or abnormal credential use. This gap meant the unauthorized access wasn’t flagged as a threat, even over several months.

Delayed Incident Reporting

Under Korean law, companies must report breaches promptly. Coupang became aware of the breach on November 17, 2025, but did not notify authorities until nearly two days later, violating legal requirements and drawing regulatory criticism.

Inadequate Evidence Preservation
 

The ministry found Coupang failed to preserve critical logs needed for investigating how the breach occurred. This failure could complicate both the administrative probe and potential legal actions.

Broader Regulatory Scrutiny

Beyond the breach itself, separate probes by the Personal Information Protection Commission are examining whether other data practices, such as the use of CCTV footage, were compliant with privacy laws.

These systemic weaknesses highlight broader concerns about data governance and internal cybersecurity hygiene. One AI analysis tool noted that strong cybersecurity infrastructure is increasingly viewed as essential for maintaining investor confidence, especially for consumer‑facing tech platforms.

What are the Regulatory and Legal Consequences?

Coupang now faces multiple regulatory and legal actions in South Korea and abroad. The Ministry of Science and ICT has demanded corrective actions, including the introduction of advanced detection systems for unauthorized access. Authorities also cited the company for violating the information network law by delaying its breach report and failing to preserve vital data.

Under Korean law, companies can be subject to fines and administrative penalties for such violations. Initial penalties could include a fine of up to 30 million won (about $20,000) for the delayed reporting breach alone.

Legal risks extend beyond fines. Victims affected by the data leak have filed a class‑action lawsuit in a U.S. federal court seeking punitive damages. The plaintiffs allege Coupang failed to protect personal data and did not take adequate steps to prevent the breach.

Moreover, South Korean authorities, including police and the Personal Information Protection Commission (PIPC), continue separate criminal and civil investigations. The PIPC is also exploring potential violations unrelated to the breach itself, such as unauthorized use of internal CCTV footage.

Together, these regulatory and legal pressures could influence Coupang’s operational policies and shape future data protection enforcement in the country.

How Has the Breach Impacted Coupang’s Business and Users?

The Coupang breach has had tangible effects on customer trust and platform usage. Market data showed a significant drop in daily active users (DAUs) shortly after the breach was disclosed. According to industry figures, daily users fell by more than 1.8 million in early December 2025.

1 million users left Coupang in January alone: Earthquake in Korean e-commerce market as the boycotts against the US company accelerates
byu/Freewhale98 inBoycottUnitedStates

Recent community reports also suggest around 1.1 million users left the Coupang platform in January 2026 alone, highlighting ongoing backlash and user defections. Various users have shared personal experiences of suspected misuse of leaked data, including scam attempts tied to compromised information.

Public sentiment surveys reflect growing mistrust. A poll found that over 60% of Koreans were considering leaving Coupang permanently, with many demanding criminal charges or business restrictions.

While the headline on Coupang ( $CPNG ) suggest another data leak, which would have been really devastating, this is not a new leak.

The team identified additional 165K accounts that were affected during the previous Nov 2025 data breach.

In any case, it is not a good news that… pic.twitter.com/07giFx4NI1

— Vivek S (@VivekChirps) February 5, 2026

Competitors like Gmarket and Naver Shopping saw increased traffic and user signups as customers sought alternatives.

This erosion of confidence has implications not just for user retention, but also for Coupang’s brand image and future growth prospects, especially as regulators tighten scrutiny on data protection standards.

Final Words

The Coupang data breach shows how critical cybersecurity is for consumer trust and business survival. Millions of users were affected, regulators are enforcing stricter rules, and the company must act fast to close security gaps. This incident highlights the rising stakes for digital platforms in South Korea and the importance of strong data protection in today’s e-commerce landscape.

Frequently Asked Questions (FAQs)

Disclaimer:

The content shared by Meyka AI PTY LTD is solely for research and informational purposes. Meyka is not a financial advisory service, and the information provided should not be considered investment or trading advice.