Coupang CEO Resigns After Breach Exposes 33M Users, Including Door Codes

SEOUL - The co-chief executive of South Korea’s dominant e-commerce platform resigned Wednesday amid widening fallout from a data theft that compromised the personal information of nearly two-thirds of the country's population.

Coupang (NYSE: CPNG) confirmed earlier this month that an internal actor accessed and extracted records belonging to 33.7 million customers. The breach, which went undetected for five months, has triggered a multi-agency investigation, a sharp drop in user engagement, and the immediate restructuring of the company’s leadership.

The Insider Threat

The breach was not the result of an external hack, but rather an abuse of internal access privileges. Coupang reported to regulators that the unauthorized extraction was carried out by a former developer-identified by police as a Chinese national-who had worked at the company’s Seoul headquarters for two years.

According to investigators from the Seoul Metropolitan Police Agency, the suspect allegedly utilized legitimate credentials to scrape customer data from internal servers. The extraction began on June 24, 2025, but remained unnoticed by Coupang’s security operations center until November 18, 2025.

Following the company’s disclosure, police authorities raided Coupang’s Songpa District headquarters over three days starting December 9, seizing server logs and employee hard drives to reconstruct the full scope of the data exfiltration.

Motivation: Extortion, Not Public Sale

New details have emerged regarding the motive behind the theft. Investigators revealed that the breach was discovered only after the suspect contacted Coupang directly, demanding a financial payoff in exchange for keeping the stolen data private.

As of this week, there is no confirmed evidence that the dataset has been listed for public sale on major dark web marketplaces or hacking forums. However, authorities warned users to remain vigilant against phishing and "smishing" (SMS phishing) attacks, as police are still working to determine if the suspect transferred the data to associates or private brokers prior to the extortion attempt.

Exposed Data: Physical Security at Risk

While Coupang stated that financial data such as credit card numbers and passwords remained secure, the exposed dataset creates significant physical security risks for victims. The leaked information includes granular details used for logistics and delivery:

• Full Names and Phone Numbers
• Email Addresses
• Physical Home Addresses
• Door Entry Codes (Commonly used by delivery drivers in South Korea to access gated apartment complexes or front doors)
• Order Histories

The exposure of door codes is particularly concerning in South Korea, where digital door locks are ubiquitous. Privacy advocates have warned that combining physical addresses with entry codes poses an immediate safety threat to affected households.

Timeline of the Breach

• June 24, 2025: The suspect begins extracting data using internal credentials.
• November 18, 2025: Coupang security teams detect the anomaly after five months of activity.
• November 29, 2025: The company formally discloses the incident to the Personal Information Protection Commission (PIPC) and the public.
• December 9, 2025: Police launch a search and seizure operation at Coupang HQ.
• December 10, 2025: Co-CEO Park Dae-jun resigns to take responsibility for the oversight failures; Harold Rogers is appointed as interim replacement.

Regulatory and Legal Consequences

The scale of the breach places Coupang in a precarious legal position. Under the amended Personal Information Protection Act (PIPA), the PIPC has the authority to impose fines of up to 3% of total annual revenue if investigators determine that the company failed to implement adequate internal controls or monitoring systems.

The financial implications are already materializing. Following the news, Coupang shares dropped on the New York Stock Exchange, and a New York-based law firm announced plans for a class-action lawsuit, alleging that the company’s governance failures violated securities laws. Simultaneously, legal challenges are mounting in Seoul Central District Court, where victims are seeking damages for emotional distress and potential privacy violations.

Mass User Exodus

Consumer reaction has been swift and severe. Market analytics firm IGAWorks released data showing that Coupang’s Daily Active Users (DAU) fell by approximately 1.8 million-from 17.98 million to 16.17 million-in the week immediately following the disclosure.

Public anger has been fueled by the nature of the data lost and the delay in detection. The PIPC has since ordered the company to revise its terms of service to simplify the process for users wishing to delete their accounts, a move that may accelerate the platform's churn rate.