Coupang Breach Exposes 33.7 Million Users in South Korea
South Korean E-Commerce Giant Coupang Discloses Massive Data Breach Affecting Over Half the Nation's Population
Impact Scope
People Affected
33.7 million customers
Industries Affected
Geographic Impact
Related Entities
Organizations
Other
Full Report
Executive Summary
On December 1, 2025, South Korean e-commerce giant Coupang, Inc. disclosed a massive data breach that exposed the personal information of 33.7 million customers. The unauthorized access, which began around June 24, 2025, went undetected for nearly five months until suspicious activity was identified on November 18, 2025. The attackers exploited an authentication vulnerability, with suspicion falling on a former employee whose authentication key may have been used. The compromised data includes customer names, email addresses, phone numbers, and delivery addresses. Financial data and login credentials were not affected. The company has initiated its incident response plan, notified relevant South Korean authorities, and is warning customers of potential phishing attacks.
Threat Overview
The breach affects one of South Korea's largest companies, often dubbed the "Amazon of Korea," impacting a user base equivalent to over half the country's population. The initial point of intrusion is believed to be the abuse of an authentication key, possibly belonging to a former employee from China, which remained active after their contract ended. This highlights a critical failure in identity and access management (IAM) offboarding procedures. The threat actor(s) leveraged this access for approximately five months, exfiltrating a large volume of customer PII from servers located outside of Korean jurisdiction. The prolonged dwell time without detection points to significant gaps in security monitoring and anomaly detection capabilities.
Technical Analysis
The attack vector was the exploitation of an authentication vulnerability combined with a failure in access control lifecycle management. The threat actor used a valid, but unauthorized, authentication key to access and exfiltrate customer data.
Attack Chain
- Initial Access: The attacker gained access using a valid authentication key that should have been revoked. This aligns with
T1078 - Valid Accounts, specificallyT1078.004 - Cloud Accounts. - Persistence: The attacker maintained access from June to November 2025, suggesting a lack of monitoring for stale or unusually active credentials. This could be considered a form of
T1136.003 - Create Account: Cloud Accountif they established other footholds, or simply long-term abuse of the initial valid account. - Data Collection & Exfiltration: The actor collected sensitive customer PII from Coupang's databases. This maps to
T1530 - Data from Cloud Storage Object. The data was then exfiltrated over the network to "overseas servers," corresponding toT1048 - Exfiltration Over Alternative Protocol.
The core failure was procedural and technical: an authentication key for a former employee was not de-provisioned, granting long-term, unauthorized access to sensitive production data.
Impact Assessment
This incident has significant repercussions for Coupang and its customers. The exposure of names, emails, phone numbers, and physical addresses for 33.7 million people creates a massive risk of follow-on attacks, including targeted phishing, smishing, and social engineering campaigns. The company's stock price fell following the disclosure, indicating a loss of investor confidence. Reputational damage is substantial, especially given the initial underreporting of the incident's scale (from 4,500 to 33.7 million). The investigation by the Korea Internet & Security Agency (KISA) and the Personal Information Protection Commission (PIPC) could result in significant regulatory fines and penalties under South Korea's stringent data protection laws.
IOCs
No specific Indicators of Compromise (IOCs) such as IP addresses, domains, or file hashes have been publicly released.
Cyber Observables for Detection
Security teams should hunt for the following types of activity to detect similar threats:
| Type | Value / Pattern | Description | Context | Confidence |
|---|---|---|---|---|
api_endpoint |
api.coupang.com/* |
Monitor for anomalous access patterns to production APIs. | API Gateway Logs, CloudTrail | high |
log_source |
CloudTrail, VPC Flow Logs |
Look for large data egress from database snapshots or storage buckets. | SIEM, Cloud Monitoring Tools | high |
user_account_pattern |
Former employee accounts | Audit all active service accounts and API keys, correlating them against a current list of employees and contractors. | IAM Tools, HR Systems | high |
command_line_pattern |
aws s3 cp s3://... or gsutil cp gs://... |
Monitor command-line activity on bastion hosts or developer machines for large data transfers. | EDR, Shell History Logs | medium |
Detection & Response
- Log Analysis: Implement robust logging and monitoring for all API calls and data access requests. Use D3FEND technique
Resource Access Pattern Analysisto baseline normal activity for service accounts and alert on deviations, such as access from unusual geographic locations or abnormally large data queries. - Alerting: Configure alerts for any activity from accounts belonging to former employees. An automated process should trigger an alert if an identity marked as 'terminated' in the HR system authenticates successfully.
- Threat Hunting: Proactively hunt for long-lived access credentials that have not been rotated. Query IAM services for keys older than 90 days and investigate their usage patterns.
- Incident Response: Upon detecting unauthorized access, immediately revoke the compromised credentials, analyze logs to determine the full scope of accessed data, and preserve evidence for forensic analysis.
Mitigation
- Access Control: Implement and enforce strict access control and identity lifecycle management. This is the primary mitigation. Use D3FEND technique
User Account Permissionsto ensure the principle of least privilege is applied to all accounts, especially service accounts. - Automated De-provisioning: Integrate HR systems with IAM platforms to ensure that all access (keys, accounts, permissions) is automatically revoked immediately upon an employee's termination. This is a critical failure point that must be addressed. This corresponds to MITRE Mitigation
M1018 - User Account Management. - Credential Rotation: Enforce a strict policy for the mandatory rotation of all authentication keys and credentials, with a maximum lifetime of 90 days.
- Data Monitoring: Deploy solutions to monitor and alert on large-scale data exfiltration from cloud storage and databases. This maps to MITRE Mitigation
M1047 - Audit.
Timeline of Events
MITRE ATT&CK Mitigations
User Account Management
Implement strict policies and automated procedures for provisioning, modifying, and de-provisioning user and service accounts, especially upon termination.
Account Use Policies
Enforce policies on account usage, such as session time-outs and concurrent session limits, to reduce the window of opportunity for misuse of compromised credentials.
Collect, review, and analyze logs for all authentication events and data access patterns to detect anomalies and unauthorized activities.
Privileged Account Management
Manage the lifecycle of privileged accounts and credentials, including API keys and service accounts, to ensure they are rotated regularly and have minimal necessary permissions.
D3FEND Defensive Countermeasures
In the context of the Coupang breach, the failure to revoke an ex-employee's authentication key was the root cause. Implementing robust User Account Permissions is paramount. This goes beyond simple role-based access control (RBAC). A Zero Trust approach should be adopted where every access request is verified. For Coupang's platform, this means API keys and service accounts should have narrowly scoped permissions, granting access only to the specific resources required for their function. Furthermore, time-based access controls (TBAC) should be implemented, where credentials automatically expire after a set period (e.g., 90 days) or upon project completion. For critical data stores containing PII, access should require re-authentication or a secondary approval workflow, even for service accounts. An immediate action for Coupang would be to conduct a full audit of all active credentials, map them to current employees and systems, and aggressively revoke any that are unnecessary, undocumented, or overly permissive. This directly hardens the environment against the misuse of stale, valid credentials.
While the term 'Local Account' often refers to on-premise systems, its principles apply directly to cloud IAM accounts and API keys. The five-month dwell time in the Coupang breach indicates a severe lack of monitoring. Implementing D3-LAM involves establishing a baseline of normal activity for every service account and API key. For Coupang, this means knowing what 'normal' looks like for a key: what data it accesses, from what IP range, at what time of day, and the volume of data it typically queries. Security teams must deploy tools like AWS CloudTrail or GCP Cloud Audit Logs, feeding this data into a SIEM. From there, anomaly detection rules should be created to flag suspicious behavior. For instance, an alert should trigger if an API key used for fetching order statuses suddenly starts querying millions of customer address records, or if a key that has been dormant for months suddenly becomes active. This proactive monitoring is the only way to shrink the dwell time from months to minutes, allowing for rapid detection and response before a minor intrusion becomes a mega-breach.
This technique is crucial for ensuring that access revocation is immediate and effective. In the Coupang incident, the ex-employee's key remained valid. This suggests that even if the account was marked for termination, the authentication token or API key itself was not invalidated across all systems. A robust implementation of D3-ANCI requires a centralized identity provider (IdP) that can issue short-lived tokens and a mechanism to instantly propagate revocation events. When an employee is offboarded in the HR system, an automated workflow must trigger an API call to the IdP to immediately invalidate all active sessions, tokens, and API keys associated with that identity. This prevents a scenario where a cached credential on a server or in a configuration file can still be used. For Coupang, this means ensuring their authentication systems honor revocation lists in real-time and do not rely on long-lived cached credentials, thus closing the window of opportunity for an attacker using a stolen or stale key.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats