"Change your front door passcode right now. Our home addresses were breached 148 million times."
The primary target in Coupang's personal data breach by a former Chinese employee was the "delivery address list" page. The perpetrator accessed the delivery address list page—which contains names, phone numbers, delivery addresses, and partially anonymized building entrance passcodes using special characters—a total of 148 million times. The government stated that "access constitutes leakage," explaining that "the moment data is accessed, it enters the attacker's server."
According to the government's joint public-private investigation task force on the 10th, the primary analysis target was the attacker's Coupang access records, comprising 25.6 terabytes of log data. The analysis revealed that the attacker systematically collected information through "web crawling" of Coupang's webpages over approximately seven months, from April 14 to November 8, 2025. Web crawling refers to the technique of using automated programs (scripts) to repeatedly access webpages and collect large volumes of data, rather than manually opening each page. Using this method, the attacker systematically accessed multiple webpages containing concentrated personal information, including the delivery address list page, the delivery address modification page, and the order history page.
The critical issue is that the delivery address lists accessed by the attacker contain information beyond just the account holder. Coupang users can freely add and modify delivery addresses during the purchasing process. Not only home addresses but also temporary accommodations during business trips or travel, homes of family members or acquaintances, and gift delivery addresses are all stored in the delivery address list. Consequently, the delivery address modification page accumulates names, phone numbers, and addresses of third parties including family and friends, in addition to the account holder. Investigation results confirmed that the attacker accessed the delivery address modification page 50,474 times and viewed the order history page—containing users' recent purchase records—102,682 times.
The leaked information extends far beyond simple contact details. By combining multiple delivery address data with order records, it becomes possible to infer an individual's living radius, movement patterns, and personal relationships, significantly increasing the risk of secondary harm including stalking, fraud, and targeted crimes. Notably, registered delivery recipients likely include non-Coupang members as well. For this reason, experts are recommending that consumers "reduce or discontinue use of Coupang." Professor Kim Seung-joo of Korea University's Graduate School of Information Security warned, "Unless data management systems and access control structures are fundamentally improved, safety cannot be guaranteed simply by users periodically deleting their order history." He added, "Continuing to use the service in its current state is like driving an unfixed car on the road—you're accepting considerable risk."