Coupang, South Korea’s largest e-commerce platform, confirmed on February 5, 2026 that an additional 165,000 user accounts were exposed in the massive data breach originally disclosed in November 2025. The total affected accounts now stand at approximately 33.9 million, making it one of the largest data breaches in South Korean history.
Incident overview
| Attribute | Details |
|---|
| Company | Coupang, Inc. (NYSE: CPNG) |
| Total accounts affected | ~33.9 million |
| Original disclosure | November 2025 |
| Additional accounts | 165,000 (February 2026) |
| Attack vector | Former employee with valid auth keys |
| Detection delay | ~6 months |
| Compensation | 50,000 KRW ($34) per user |
| Market impact | $8+ billion market cap loss |
Timeline
| Date | Event |
|---|
| Early 2025 | Unauthorized access begins (estimated) |
| Mid-2025 | Former employee exfiltrates data |
| November 2025 | Coupang discloses breach affecting 33.7M accounts |
| November 2025 | South Korean government launches investigation |
| December 2025 | National Assembly hearings begin |
| January 2026 | CEO resigns |
| February 2, 2026 | Hagens Berman announces securities class action |
| February 5, 2026 | 165,000 additional accounts confirmed affected |
| February 7, 2026 | Interim CEO Harold Rogers faces police questioning |
Data exposed
What was compromised
| Data type | Status |
|---|
| Names | Exposed |
| Phone numbers | Exposed |
| Shipping addresses | Exposed |
| Address lists | Exposed |
What was NOT compromised
| Data type | Status |
|---|
| Payment details | Not exposed |
| Login credentials | Not exposed |
| Entrance passwords | Not exposed |
| Email addresses | Not exposed |
| Order histories | Not exposed |
While the breach scope is massive, Coupang emphasized that the most sensitive financial and authentication data remained protected.
Root cause: Insider threat
Attack mechanism
| Factor | Details |
|---|
| Threat actor | Former employee |
| Access method | Valid authentication keys |
| Key status | Remained active after departure |
| Detection | Failed for approximately 6 months |
| Vulnerability | Credential lifecycle management failure |
Security failures
| Failure | Impact |
|---|
| No credential revocation | Former employee retained access |
| Insufficient monitoring | Anomalous access undetected |
| Delayed detection | 6-month dwell time |
| Disclosure timing | Allegations of investor notification delays |
Corporate fallout
Leadership changes
| Position | Status |
|---|
| CEO | Resigned (January 2026) |
| Interim CEO | Harold Rogers |
| Police questioning | Scheduled for February 7, 2026 |
| Perjury allegations | Under investigation |
Financial impact
| Metric | Impact |
|---|
| Market cap loss | $8+ billion |
| Compensation fund | $1.2 billion |
| Per-user compensation | 50,000 KRW ($34) |
| Additional 165K compensation | Same terms |
Legal exposure
| Action | Status |
|---|
| Securities class action | Filed (Hagens Berman) |
| Allegation | Misleading investors about security |
| Government investigation | Ongoing |
| National Assembly hearings | Conducted December 2025 |
Securities lawsuit details
Hagens Berman allegations
| Claim | Details |
|---|
| Misrepresentation | Touted “proactive security” and “administrative safeguards” |
| Reality | Failed to detect breach for 6 months |
| Disclosure delay | Allegedly delayed informing investors |
| Impact | Investors suffered losses when breach disclosed |
Class period
| Attribute | Details |
|---|
| Law firm | Hagens Berman Sobol Shapiro LLP |
| Deadline | February 2026 (2-week alert issued) |
| Claim type | Securities fraud |
| Exchange | NYSE: CPNG |
Government response
Pan-government investigation
| Agency | Role |
|---|
| Personal Information Protection Commission | Data protection oversight |
| Seoul Metropolitan Police | Criminal investigation |
| National Assembly | Hearings and oversight |
| Financial regulators | Investor protection review |
Regulatory implications
| Regulation | Potential violation |
|---|
| Personal Information Protection Act | Data security requirements |
| Securities disclosure rules | Timely investor notification |
| Corporate governance standards | Executive accountability |
Compensation program
Terms
| Attribute | Details |
|---|
| Amount | 50,000 KRW (~$34) per user |
| Form | Coupang vouchers |
| Original affected | 33.7 million |
| Additional affected | 165,000 |
| Total liability | ~$1.2 billion |
Criticism
| Concern | Issue |
|---|
| Voucher vs. cash | Users must spend at Coupang |
| Adequacy | $34 may not cover identity protection |
| Opt-in required | Users must claim compensation |
Impact on foreign business in Korea
Regulatory scrutiny
The Coupang investigation has broader implications for foreign-owned businesses operating in South Korea:
| Factor | Impact |
|---|
| Heightened scrutiny | Data protection compliance |
| Disclosure expectations | Faster breach notification |
| Executive accountability | Personal liability concerns |
| Market perception | Trust in foreign platforms |
Recommendations
For Coupang users
| Priority | Action |
|---|
| Immediate | Claim compensation vouchers |
| Immediate | Monitor for phishing using leaked contact info |
| High | Update account security settings |
| High | Watch for shipping address fraud |
| Ongoing | Be alert to targeted scams |
For organizations
| Priority | Action |
|---|
| Critical | Revoke credentials immediately upon employee departure |
| Critical | Implement privileged access management |
| High | Monitor for anomalous data access patterns |
| High | Conduct regular access audits |
| Medium | Review insider threat detection capabilities |
For insider threat prevention
| Control | Purpose |
|---|
| Just-in-time access | Reduce standing privileges |
| Behavioral analytics | Detect anomalous access |
| Data loss prevention | Alert on bulk data exports |
| Credential lifecycle automation | Ensure prompt revocation |
| Separation of duties | Limit single-point exposure |
E-commerce sector implications
Common vulnerabilities
| Issue | Risk |
|---|
| Vast customer databases | High-value targets |
| Former employee access | Credential management gaps |
| Detection challenges | Legitimate credentials used |
| Disclosure pressure | Balancing transparency with investigation |
Lessons learned
| Lesson | Application |
|---|
| Zero trust for insiders | Former employees are threat actors |
| Detection over prevention | Assume breach, detect quickly |
| Credential hygiene | Automated revocation essential |
| Disclosure timing | Delays compound damage |
Context
The Coupang breach illustrates the devastating impact of insider threats combined with poor credential management. A single former employee with valid authentication keys accessed data on nearly 34 million users over approximately six months without detection.
The breach’s aftermath—CEO resignation, $8 billion in lost market value, class action lawsuits, and government investigations—demonstrates the catastrophic business consequences of security failures at scale.
For organizations worldwide, the key lesson is clear: credential revocation upon employee departure must be automatic and immediate. The Coupang breach was entirely preventable had authentication keys been revoked when the employee left the company.
The case also highlights the growing regulatory and legal exposure companies face for data breaches. Beyond operational remediation costs, Coupang faces securities fraud allegations, suggesting that breach disclosure timing is now a material investor concern.
South Korea’s aggressive investigation—including National Assembly hearings, police questioning of executives, and potential perjury charges—signals that governments globally are taking data protection enforcement seriously. Organizations operating internationally must prepare for multi-jurisdictional accountability.
For the 33.9 million affected users, the exposure of names, phone numbers, and shipping addresses creates ongoing risk for targeted phishing and fraud. While financial data was protected, the combination of personal information enables social engineering attacks that may persist for years.
