Overview
- Records show unauthorized access occurred on Nov. 6 at 6:38 p.m. and was detected the night of Nov. 18, a 12-day gap confirmed in a KISA report to a lawmaker.
- The exposed data included names, emails, phone numbers, saved delivery addresses and details of each affected user’s five most recent orders.
- Coupang reports no evidence of intrusion into payment systems or its internal network and says there are no confirmed cases of misuse so far.
- Initial findings indicate the attacker exploited a signed access token, and Coupang says it has revoked related keys, blocked the access route and tightened detection and monitoring.
- The company notified all affected users, urged vigilance against scam texts or calls, and reported the incident to the Ministry of Science and ICT, KISA and the Personal Information Protection Commission.