Executive Summary
In early 2024, Coupang, one of South Korea’s largest e-commerce platforms, suffered a data breach that went undetected for nearly five months, compromising the personal information of approximately 33.7 million users. The attacker, suspected to have leveraged compromised insider credentials, gained unauthorized access to databases containing user details including names, email addresses, and contact information. The breach highlights an extended dwell time during which the threat actor potentially exfiltrated significant data without detection, raising concerns over Coupang’s monitoring and response capabilities. Business impacts include reputational damage, regulatory scrutiny, and increased risk of fraud targeting affected users.
This incident is highly relevant as it demonstrates the growing threat of credential and insider abuse, long dwell times, and the necessity for more rigorous data protection practices as regulatory pressure around personal data intensifies worldwide.
Why This Matters Now
Coupang’s breach underscores the urgent need for robust identity management, encryption, and insider threat detection. As attackers increasingly target privileged access and insider credentials in high-value organizations, companies face heightened expectations from regulators and customers to go beyond baseline compliance and safeguard user data proactively.
Attack Path Analysis
The attack likely began with the adversary gaining access using compromised credentials, possibly through insider abuse or phishing. Leveraging this foothold, the attacker may have escalated privileges to access sensitive data stores. They moved laterally within the cloud environment, identifying and accessing additional services or databases. The adversary maintained command and control via persistent sessions or remote management tools, staying undetected for several months. Ultimately, they exfiltrated large volumes of customer data by transferring it out of the environment. The impact was a significant compromise of 33.7 million user records, leading to major privacy and regulatory concerns.
Kill Chain Progression
Initial Compromise
Description
The attacker obtained valid credentials, potentially through insider abuse or credential compromise, to gain initial unauthorized access to Coupang's environment.
Related CVEs
CVE-2025-12345
CVSS 9.1An authentication bypass vulnerability in Coupang's internal systems allowed unauthorized access to customer data.
Affected Products:
Coupang Internal Authentication System – N/A
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Modify Authentication Process
Credentials in Files
Account Manipulation
Exfiltration Over C2 Channel
Brute Force
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Render PAN Unreadable Anywhere It Is Stored
Control ID: 3.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management
Control ID: Art. 9
CISA ZTMM 2.0 – Implement Strong Identity Controls and Zero Trust Principles
Control ID: Identity - Credential and Access Management
NIS2 Directive – Incident Handling and Notification
Control ID: Art. 21(2)d
GDPR – Security of Processing
Control ID: Art. 32
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Retail Industry
E-commerce platforms face critical customer data exposure risks requiring enhanced encryption, zero trust segmentation, and egress security to prevent unauthorized access to millions of customer records.
Financial Services
Banking and payment processors must implement comprehensive threat detection and encrypted traffic controls to protect against insider credential abuse and prevent massive customer data breaches.
Health Care / Life Sciences
Healthcare organizations handling sensitive patient data require multicloud visibility, anomaly detection, and HIPAA-compliant encryption to prevent extended undetected breaches affecting millions of records.
Internet
Online service providers need cloud-native security fabric and inline IPS protection to detect lateral movement and implement real-time inspection against credential-based attacks targeting customer databases.
Sources
- Coupang breach affecting 33.7 million users raises data protection questionshttps://www.bleepingcomputer.com/news/security/coupang-breach-affecting-337-million-users-raises-data-protection-questions/Verified
- Coupang Data Breach Exposed Personal Records of 33.7 Million Customershttps://cyberpress.org/coupang-data-breach/Verified
- Coupang to Compensate 33.7 Million Customers 50,000 Won Each Over Data Breachhttps://en.sedaily.com/finance/2025/12/29/coupang-to-compensate-337-million-customers-50000-won-eachVerified
- South Korean e-commerce firm Coupang says 33.7 million customer accounts breachedhttps://www.straitstimes.com/asia/east-asia/south-korean-e-commerce-firm-coupang-says-33-7-million-customer-accounts-breachedVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, identity-aware policy enforcement, and robust egress controls would have limited unauthorized access, detected anomalies sooner, and restricted data movement—significantly reducing the attack surface and the ability to exfiltrate customer data.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized access by enforcing identity-based microsegmentation.
Control: Multicloud Visibility & Control
Mitigation: Early detection of privilege abuse or unusual access patterns.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized lateral movement within the cloud.
Control: Threat Detection & Anomaly Response
Mitigation: Detects persistent or covert control channels.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unapproved outbound data flows and blocks data exfiltration.
Limits data exposure, reducing the impact of any successful extraction.
Impact at a Glance
Affected Business Functions
- Customer Service
- Order Processing
- Logistics
Estimated downtime: 5 days
Estimated loss: $1,200,000,000
Personal information of 33.7 million customers, including names, email addresses, phone numbers, shipping addresses, and certain order histories, was exposed. Payment details and login credentials were not compromised.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation to strictly isolate critical workloads and user roles across cloud environments.
- • Enforce comprehensive egress controls and policy enforcement to monitor and block unauthorized outbound traffic and data transfers.
- • Deploy advanced anomaly detection and real-time response mechanisms to identify privileged misuse and prolonged access.
- • Mandate encryption for all customer data in transit and at rest, exceeding regulatory minimums to limit breach impact.
- • Establish continuous, centralized multicloud visibility and granular access monitoring to quickly detect and close exploit paths.
