Below is the an update posted on Dec 25, 2025 on the cybersecurity incident related to Coupang Corp, a Korean subsidiary of Coupang, Inc.

Coupang confirmed that the perpetrator has been identified, and that all devices used in the data leak have been retrieved.  The investigation to date indicates that the perpetrator retained limited user data from only 3,000 accounts and subsequently deleted the user data. 

Based on the investigation to date: 

• The perpetrator accessed 33 million accounts, but only retained user data from approximately 3,000 accounts. The perpetrator subsequently deleted the user data. 

• The user data included only 2,609 building entrance codes. No payment data, log-in data or individual customs numbers 

• The perpetrator never transferred any of the data to others 

We know the recent data leak has caused concern among our customers, and we apologize for the anxiety and inconvenience. Everyone at Coupang and the government authorities has been working tirelessly together to address this critical issue, and we are now providing an important update.  

Coupang used digital fingerprints and other forensic evidence to identify the former employee who leaked user data. The perpetrator confessed everything and revealed precise details about how he accessed user data.   

All devices and hard drives the perpetrator used to leak Coupang user data have been retrieved and secured following verified procedures. Starting from the submission of the perpetrator’s declaration to government officials on December 17, Coupang has been submitting all devices including hard drives to government officials as soon as we received them. Coupang has also been cooperating fully with all relevant ongoing government investigations. 

From the beginning, Coupang commissioned three top global cybersecurity firms—Mandiant, Palo Alto Networks, and Ernst & Young—to perform rigorous forensic investigation. 

The investigative findings to date are consistent with the perpetrator’s sworn statements: (i) that he accessed basic user data from 33 million customer accounts using a stolen security key, (ii) that he only retained user data from roughly 3,000 total accounts (name, email, phone number, address and part of order histories), (iii) that from the roughly 3,000 accounts, he only retained 2,609 building entrance access codes, (iv) that he deleted all stored data after seeing news reports of the leak, and (v) that none of the user data was ever transmitted to others.  

1. Perpetrator accessed basic user data using a stolen security key. The perpetrator stated that he was able to access limited user data—including names, emails, addresses, phone numbers—by stealing an internal security key that he took while still working at the company. Data logs and forensic investigation had already confirmed that the access was carried out using a stolen internal security key and included only the types of data the perpetrator specified (e.g., names, emails, addresses, phone numbers).  He did not access any payment data, log-in data, or individual customs numbers. 

2. Perpetrator gained very limited access to order history and building entrance codes. The perpetrator stated that while accessing basic data relating to a large number of customers, he only ever accessed the order history and building entrance codes for roughly 3,000 accounts. Independent forensic analysis of data logs had already determined that the number of building entrance codes for only 2,609 were ever accessed, just as the perpetrator reported. 

3. Perpetrator used a desktop PC and MacBook Air laptop for the attack. The perpetrator stated that he used a personal desktop PC and a MacBook Air laptop to provision access and to store a limited amount of user data. Independent forensic investigation confirmed that Coupang systems were accessed using one PC system and one Apple system as the primary hardware interfaces, exactly as the perpetrator described. The perpetrator relinquished the PC system and four hard drives used on the PC system, on which analysts found the script used to carry out the attack. 

4. Perpetrator sought to erase and dispose of the MacBook Air laptop in a river. The perpetrator stated that when news outlets reported on the data leak he panicked and sought to conceal and destroy the evidence. Among other things, the perpetrator stated that he physically smashed his MacBook Air laptop, placed it in a canvas Coupang bag, loaded the bag with bricks, and threw the bag into a nearby river. Using maps and descriptions provided by the perpetrator, divers recovered the MacBook Air laptop from the river. It was exactly as the perpetrator claimed—in a canvas Coupang bag loaded with bricks—and its serial number matched the serial number in the perpetrator’s iCloud account.  

5. Perpetrator retained a very small amount of user data, never transferred any of the data, and subsequently deleted all the stored user data. The perpetrator stated that he worked alone, that he only retained a small amount of user data from roughly 3,000 accounts, that the user data was only ever stored on his personal desktop PC and MacBook Air laptop, that none of that user data was ever transmitted to a third party, and that he deleted the stored data immediately after seeing news reports of the leak. The investigative findings to date are consistent with the perpetrator’s sworn statements and found no evidence that contradicts these statements.  

We will provide updates following the investigation and plan to separately announce compensation plans to our customers in the near future.  

Coupang remains fully committed to protecting customer data. We will cooperate fully with the government’s investigation, take all necessary steps to prevent further harm, and strengthen our measures to prevent recurrence. 

Coupang regrets the concern this incident has caused and apologizes to those affected.