Full Report
South Korea's largest retailer, Coupang, has suffered a data breach that exposed the personal information of 33.7 million customers. [...]
Analysis Summary
# Incident Report: Coupang Customer Data Breach
## Executive Summary
South Korea's largest retailer, Coupang, suffered a significant data breach exposing the personal information of approximately 33.7 million customers. The incident, which occurred in June 2025, involved the unauthorized exfiltration of customer names, contact details, and order history. Coupang discovered the breach in November 2025 after initially detecting unauthorized access involving a small subset of accounts.
## Incident Details
- Discovery Date: November 18, 2025
- Incident Date: June 24, 2025
- Affected Organization: Coupang
- Sector: E-commerce/Retail
- Geography: South Korea
## Timeline of Events
### Initial Access
- Date/Time: June 24, 2025 (Approximate)
- Vector: Exploitation of an internal vulnerability, possibly involving a former employee.
- Details: Unauthorized access was gained to systems containing customer data.
### Lateral Movement
- Date/Time: Between June 24, 2025, and November 18, 2025
- Vector: Use of *unrevoked access tokens* (as per secondary reporting).
- Details: Attackers moved internally to access and aggregate highly sensitive customer records.
### Data Exfiltration/Impact
- Date/Time: Occurred during the access period (pre-November 18, 2025)
- Details: Personal information for 33.7 million customer accounts was stolen.
### Detection & Response
- Date/Time: November 18, 2025
- Details: Coupang detected unauthorized access related to approximately 4,500 customer accounts. Subsequent investigation revealed the full scope of 33.7 million exposed accounts. The firm immediately began an investigation and notified relevant authorities.
## Attack Methodology
*Note: Specific technical details are limited in the provided source.*
- Initial Access: Unauthorized access via existing credentials/tokens.
- Persistence: Implied via the use of "unrevoked access tokens" allowing continued access after the initial vulnerability was exploited.
- Privilege Escalation: Not explicitly stated, but necessary to access the data of 33.7 million users.
- Defense Evasion: Not explicitly stated.
- Credential Access: Unrevoked access tokens were utilized.
- Discovery: Not explicitly stated, but required to locate and compile all targeted customer data.
- Lateral Movement: Movement within the internal network to aggregate data from multiple customer records.
- Collection: Gathering of personally identifiable information (PII) and order details.
- Exfiltration: Theft of the collected data.
- Impact: Mass exposure of customer personal data.
## Impact Assessment
- Financial: Not specified.
- Data Breach: Personal information of $\sim33.7$ million customers exposed, specifically: full names, phone numbers, email addresses, physical addresses, and order information. **Payment details (credit cards) and passwords were confirmed NOT exposed.**
- Operational: Investigation and mandatory reporting to regulatory bodies.
- Reputational: Significant negative impact due to the scale of the breach (affecting nearly all customers).
## Indicators of Compromise
- *No specific IoCs (IPs, domains, hashes) were provided in the source material.*
- Behavioral Indicators: Detection of unusually high data access patterns or activity traced back to residual or active access tokens.
## Response Actions
- **Containment/Eradication:** Investigation launched immediately upon initial detection (Nov 18, 2025). Implied steps included identifying and likely revoking the compromised access tokens.
- **Notification:** Reported the incident to South Korean authorities: the National Police Agency, the Personal Information Protection Commission, and the Korea Internet & Security Agency (KISA).
- **Customer Communication:** Notifying impacted individuals via email or SMS.
- **Mitigation Advice:** Warning customers to be vigilant against phishing/impersonation attempts targeting the exposed PII.
## Lessons Learned
- **Access Control Failure:** The continued use of unrevoked access tokens belonging to a former employee indicates a critical failure in the Offboarding/Access Revocation process (Identity and Access Management - IAM).
- **Delayed Detection:** A significant time gap (June 24 to November 18) between the incident occurrence and initial discovery highlights inadequate continuous monitoring or anomaly detection capabilities sufficient to flag widespread data access.
## Recommendations
- Immediately revise and enforce a strict **access token lifecycle management policy**, ensuring immediate and comprehensive revocation of all credentials (including service tokens) upon employee/contractor termination or role change.
- Implement enhanced **Data Loss Prevention (DLP)** and **Behavioral Analytics** tools to detect and alert on unusual volumes of PII access or data extraction from customer databases.
- Conduct mandatory security audits (penetration testing) focusing specifically on credential hygiene and the integrity of IAM processes.