Coupang Data Breach
The title of "the nation's app" now rings hollow. It has been revealed—belatedly—that personal data from nearly 33 million Coupang accounts was leaked. This figure essentially covers the entire economically active population of South Korea. Yet, the issue is not just the leak itself, but the time it took for the company to detect the breach and notify its customers. For five months, we have essentially been sleeping with our front doors unlocked, unaware of the intrusion.
1. System Failure: 5 Months in the Dark
In any security incident, the "Golden Time" for detection and response is critical. However, a review of the timeline raises reasonable doubts about whether the company's security monitoring systems were functioning properly.
Detected & Reported in November
During this five-month window, hackers likely processed the stolen data, traded it on the dark web, and engineered secondary attack scenarios. While Coupang has clarified that "payment information is safe," names, phone numbers, and addresses are more than enough to design sophisticated voice phishing and "smishing" schemes. In this asymmetry of information, the anxiety and potential damage have been left entirely to the consumer.
2. How Did It Happen? The Threat of "Credential Stuffing"
The method identified in this incident is "Credential Stuffing." Simply put, hackers take IDs and passwords stolen from other websites and indiscriminately try them on Coupang’s login page until they break in.
This explains why you cannot feel safe simply because you set a complex password for Coupang. If you reuse the same ID and password across a vulnerable site (Site A) and Coupang, the moment Site A is breached, your Coupang account is unlocked. This is the structural reason why platform companies must mandate, or at least strongly encourage, Two-Factor Authentication (2FA).
3. Action Plan: 3 Principles for Self-Defense
The spilled data cannot be gathered back. We must now focus on defense. Beyond simply changing passwords, we need to protect our accounts structurally.
- Isolate Your Passwords: Passwords for critical sites like banking or shopping apps must be distinct from those used for forums or general websites. If remembering them is difficult, utilize a trusted Password Manager.
- Make 2FA Mandatory: Even if your ID and password are stolen, login should be impossible without the verification code sent to your phone. This is no longer an option; it is a necessity.
- Beware of Targeted Smishing: Scam texts have evolved beyond simple impersonation. Expect messages that cite your correct name and home address, claiming a "delivery address error." Never click URLs included in text messages.
4. Conclusion: Beyond "Fending for Ourselves"
The company will face fines, but the potential damage and anxiety felt by consumers are rarely compensated. This five-month period of silence offers a clear lesson: Do not blindly trust corporate security systems. We must protect our digital assets through the minimum safety measures—like 2FA—that remain under our own control.
