▲ Coupang Data Breach
It has been revealed that extortion emails sent to Coupang by a former employee who orchestrated a massive personal data breach contained a significant amount of sensitive information, including records of users' purchases of adult products and underwear.
According to documents regarding sanctions against Coupang released by the Personal Information Protection Commission (PIPC) yesterday (June 11), the attacker—a former Coupang employee—leaked delivery addresses and personal member information starting April 14, 2025, by accessing pages for managing and modifying delivery addresses and member information.
The attacker also accessed the order history page over 80,000 times to steal apartment building entrance codes and order details.
The hacker reconstructed profiles for each member by combining the leaked information and sent two extortion emails containing sample data to both the members and Coupang, respectively.
In the second extortion email, the hacker claimed to possess 120 million Korean user addresses, 560 million order records, and over 33 million email addresses, providing a breakdown of the data by region and email domain.
The PIPC determined that the sample data included in the extortion emails at the time contained various sensitive information, such as users' purchase histories for adult products and underwear.
Similar concerns regarding the inclusion of such sensitive information in the leaked data were raised during a parliamentary interpellation session held in February of this year.
During the interpellation session at the National Assembly on February 11, Representative Kim Seung-won of the Democratic Party of Korea claimed that the suspect in the Coupang data breach had specifically targeted 3,000 people who had ordered adult products for extortion, arguing that a list of such customers had been created by the hacker.
However, Coupang denied these claims, stating, "There is absolutely no truth to the claim that the attacker created a separate list of adult product orders to extort money," and added that it was "regrettable that information contrary to the facts was mentioned during the parliamentary interpellation."
The PIPC stated that, as of now, there is no evidence that the hacker has disclosed the leaked information, including the various sensitive data, to external sources such as the dark web.
Nevertheless, the commission urged users to exercise extreme caution, as the leaked personal information could be misused for phishing, smishing, spam, or lead to payment fraud and other financial crimes at any time.
※ Please note: This article was translated by AI and may contain errors.