Coupang Hack Emergency: 33.7 Million People's Personal Information Compromised, 7 Things to Do Right Now

1. how much of my information was compromised? The scope of the breach and secondary damage scenarios

recently, a massive data breach of nearly 33.7 million accounts on Coupang has left many users on edge. this unprecedented security breach was caused by a former Coupang employee who is a Chinese national, and it was discovered that the information was unauthorizedly leaked over a period of five months. What many users are wondering is exactly what information was leaked, and what secondary damage scenarios are possible.

according to Coupang's official announcement and government investigations, the stolen information includes customer names, email addresses, phone numbers, shipping address lists, and some order information. The shipping address lists in particular contain not only addresses, but also some people's shared front door access numbers, which makes the breach more than just an online risk, but also a threat to physical residential safety. fortunately, Coupang has repeatedly confirmed that no payment information such as card numbers or account numbers, or sensitive information such as passwords or personalized customs identification numbers were compromised.

however, just because passwords weren't compromised doesn't mean you can rest easy. When combined with compromised names, phone numbers, addresses, and specific order information, fraudsters can try more sophisticated and elaborate fraud schemes, known as spear smishing. for example, if a fraudster uses a real customer's order history to send a text that says, "Dear member, the delivery of your recent OOO purchase has been delayed and you need to enter your financial information for a refund," it's hard for victims to suspect. So now is the perfect time to familiarize yourself with how to respond to a hack on Coupang and implement a proactive data breach plan.

2. top priority: lock your digital accounts to prevent hacking

the quickest and most obvious hack prevention measure is to strengthen your account security. To completely eliminate the possibility of the stolen information being used for other forms of fraud, you need to put a double layer of defense on your digital accounts.

2.1. [Action 1] Check for unknown accesses and change your passwords in bulk

the first step is to log in to your Coupang account and thoroughly check your recent access history. if you find any accesses from unfamiliar locations or devices that you don't recognize, this is a warning sign that your account may have been compromised. In this case, you should immediately log out of any unfamiliar devices and reset your account security by changing your password.

furthermore, even if passwords were not directly compromised in the Coupang hack, the problem is that many people use the same or similar passwords across multiple sites. security experts strongly recommend that you change your passwords not only for Coupang, but also for all of your other major sites, such as portals, banks, and gaming accounts, as a single breach can lead to a chain of hacks. Practicing regular password changes is a fundamental part of digital security.

2.2. [Action 2] Set up a 'digital lock' and require two-step verification

one of the strongest defenses against hacking is enabling two-factor authentication. two-factor authentication (2FA) is a feature that requires users to verify their identity with something in addition to their password, such as an authenticator app or text message, before they can log in. even if a hacker gets your password, they can't get past the digital lock that is two-factor authentication, which prevents them from taking over your account. apply two-step verification to all your favorite services (Google, Naver, financial apps), including Coupang.

2.3. [Action 3] Check for additional breaches with 'Find My Stolen Information'

if you're worried about checking for additional personal information leaks, you can use the 'Find My Information' service operated by the Personal Information Protection Commission and the Korea Internet & Security Agency (KISA). this is a free service that checks whether your account information (ID and password) has been leaked through illegal channels such as the dark web. the information you enter for the search is destroyed immediately after the scan, so it's safe to use, and if you find that your information has been compromised, you should take immediate action, such as canceling your account or changing your password.

3. golden time to prevent financial harm: Preemptively block payment and identity theft

compromised names and phone numbers can be the starting point for financial fraud and identity theft. preemptive blocking is the most practical way to prevent financial harm in the event of a breach.

3.1. [Action 4] Immediately block mobile phone micropayments and card overseas payments

when personal information is exposed, it is more likely to be abused for small payments or overseas fraudulent use. Therefore, it is wise to temporarily block or lower the usage limit of the following two features.

• blocking mobile phone micropayments: You can access the mobile app or website of your carrier's customer center (T World, My Katie, etc.) and set your mobile phone micropayment limit to "0 won" or apply for "limited use". this will prevent any attempts to make micropayments using your phone number.

• block international card payments: suspend your card's overseas payment function (including DCC overseas KRW payments) or apply for the 'Overseas KRW payment (DCC) pre-blocking service' through your card company's website or app. This is an effective hacking damage prevention measure that prevents fraudulent payments using information leaked from overseas.

3.2. [Action 5] Utilize identity theft blocking and credit report alert services

one of the most concerning incidents involving stolen personal information is identity theft at telecommunications companies or financial institutions.

• telecom Identity Theft Prevention (Msafer): the Korea Association of Information and Communication Technology (KAIT)'s Msafer identity theft prevention service can help you proactively block new cell phones from being opened in your name. this service is the strongest communication protection against identity theft and is available for free to all South Koreans.

• credit alerts: To detect financial fraud in real time, consider signing up for a credit alert service provided by a credit bureau (such as NICEJekyll, TOS, etc.), which will notify you via text or alert as soon as a credit inquiry is made by a third party using your name and information to apply for a loan, card, etc.

4. don't miss out on physical security: common entrance and clearance sign emergency measures

the unique aspect of the Coupang hack is that it went beyond the online world and leaked information related to physical safety.

4.1. [Action 6] Secure residential safety by changing the common entrance password

through a parliamentary inquiry, it was confirmed that some users' common entrance numbers entered in their address book were leaked. if the common entrance password is the same or similar to the household entrance password, the risk of physical access to the residence is seriously increased. to prevent hacking victims of residential break-ins, thefts, and other violent crimes, users who have listed their common entrance numbers in their address book should change them immediately. This is the most urgent physical security measure in our response to the breach.

4.2. [Action 7] Reissue personalized customs clearance numbers to overseas direct sales users

the Personalized Customs Identification Number is an identification number that is used for customs clearance procedures instead of a social security number when shopping overseas. although Coupang has stated that this information was not leaked, the number of cases of unauthorized overseas direct purchases that were cleared through customs using the user's name and customs clearance number were reported one after another immediately after the incident, leading to increased anxiety among users and a surge in the number of reissues.

due to the possibility of being used for criminal activities such as smuggling, it is safe to change your personalized customs code if you have been using overseas jigsaws frequently or feel uneasy. the reissue process is simple. simply access the Korea Customs Service's electronic customs clearance system (Unipass), verify your identity, click the 'Edit' button at the bottom of the inquiry screen, check 'Reissue', save, and you'll receive your new number immediately.

5. sophisticated Coupang impersonation smishing features and how to prevent it

leaked names, phone numbers, and order information are the basis for fraudsters to create "authentic" characters. it's important to be thoroughly familiar with how to prevent smishing.

scammers often use keywords such as "damage compensation," "refund," "delayed delivery," and "damage report" to convince you to enter your financial information under the guise of urgency. In Coupang's smishing cases, we've seen scammers click on links referencing your actual order history, call fake customer service numbers with the promise to "reissue your credit card," and install remote control apps to steal your credentials.

the key to identifying smishing alerts is to always be suspicious of any request to "click a link," "install an app," or "enter personal information," regardless of the sender. no official organization, including Coupang, will ever ask you to install a security app or remote control app via text or phone. Delete any message from an unknown source immediately, and never click on a link if you are suspicious.

6. what to do if harm occurs: KISA 118 and how to report to the Cyber Police

if you've followed these smishing prevention tips and you're still a victim, or you're not sure if a text is a scam, you should seek professional help quickly.

• check and consult: If you suspect a text is fraudulent, you can call the Protected Nations smishing check channel (KakaoTalk) or the KISA 118 call center, operated by the Korea Internet & Security Agency (KISA). the 118 call center is open 365 days a year.

• report financial/cyber damage: If you have installed a malicious app or suffered financial damage, you should report it without delay to the National Police Agency's Cybercrime Reporting System (ECRM) online or visit the nearest police station to request an investigation. reporting quickly is an important step to prevent further damage from spreading and to receive compensation.

7. frequently asked questions (FAQs)

Q A Q: Is it likely that the leaked information will actually lead to secondary damage? A: Based on a full investigation by the National Police Agency, we have not found any suspected cases of secondary damage using the leaked information. However, due to the precision of the leaked information, it is best to follow smishing prevention laws and proactively change your passwords. Q: Do I need to reissue my Personalized Customs Identification Number? A: Despite the official announcement that the data has not been compromised, reports of theft and the number of reissuances are skyrocketing. if you've shipped internationally and are concerned, we recommend changing your Personalized Customs Identification Number to protect against smuggling and other abuses. Q: Will changing my front door password affect my delivery? A: After changing your password, immediately update your Coupang shipping request with the changed information, or contact the driver directly and communicate it securely to avoid any delays in delivery. Q: I received a smishing text, is there anything I can do to identify it before my financial information is compromised? A: If you've never clicked on any links in the text, the risk of compromising your financial information is low. We recommend that you contact the KISA 118 call center or the ProtectNation smishing verification channel for advice and delete the text immediately.

bottom line: small actions make a big difference

the massive Coupang hack is a reminder of the seriousness of privacy breaches behind the convenience of online shopping. The key is to be proactive and take action quickly. the seven essential actions we've outlined today - strengthening passwords and two-factor authentication, blocking micropayments on your phone, signing up for an identity theft protection service, and changing your front door number for residential safety - can help protect your valuable digital and physical assets. prevention is always the best defense against secondary victimization.

if you found this article helpful, we hope you'll share it with others to help spread the word about smishing prevention. let us know if you have any questions in the comments, and subscribe or sign up for our newsletter for more security tips.