Coupang Breach Sparks Leadership Shakeup

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, a leadership shakeup at Coupang, attackers exploited critical Fortinet SSO flaws, Pornhub data hacked, Texas Attorney General Ken Paxton sued major smart TV makers over alleged covert surveillance, auto finance provider 700Credit disclosed a breach affecting millions, a revived pro-Russia ransomware operation stumbled.

See Also: On Demand | Global Incident Response Report 2025

The CEO of Coupang, South Korea’s largest online retailer, departed the organization following a massive data breach that exposed the physical and digital contact information of nearly every adult living in the country.

In a Monday regulatory filing, the U.S.-listed e-commerce company said CEO Park Dae-jun resigned earlier this month. Harold L. Rogers, Coupang Inc.’s general counsel and chief administrative officer, is now serving as interim CEO (see: South Korean E-Commerce Giant Coupang Probes Massive Breach).

The leadership change comes as Coupang confronts heightened scrutiny from South Korean lawmakers. Founder and Chairman Bom Kim did not appear before a parliamentary hearing convened to examine the breach, prompting legislators to warn of possible legal action. Rogers testified in Kim’s place and faced repeated questioning from lawmakers over governance oversight and the company’s response to the incident.

Coupang said the incident, publicly disclosed on Dec. 1, will not materially affect its operations since the breach did not involve financial or authentication data. The Seoul Metropolitan Police Agency raided the company’s Seoul headquarters earlier this month in a search for evidence. The breach is believed to be the work of a Chinese national who once developed authentication systems for the retailer. Authorities have not released a name and the suspect is believed to be in China. The developer allegedly left Coupang a year ago but held onto an internal authentication key and used it starting in June to begin stealing data. Company systems didn’t detect the exfiltration until Nov. 18.

South Korean data privacy law allows the government to fine companies up to 3% of the previous three year’s average annual revenue in the case of a breach – and amount The Wall Street Journal reported would add up to $750 million.

Security researchers are warning of active exploitation of Fortinet devices following the disclosure of two critical authentication bypass vulnerabilities that enable attackers to circumvent FortiCloud single sign-on protections.

Cybersecurity firm Arctic Wolf began observing malicious SSO logins on FortiGate appliances on Dec. 12, three days after Fortinet published an advisory for CVE-2025-59718 and CVE-2025-59719. Fortinet released patches for affected versions of FortiOS, FortiProxy, FortiWeb and FortiSwitchManager.

The flaws, both rated critical, stem from improper cryptographic signature verification in SAML authentication, allowing an unauthenticated attacker to bypass FortiCloud SSO when the feature is enabled. Exploitation does not rely on stolen credentials and occurs before authentication is completed, rendering password strength or multifactor authentication ineffective as protections.

Arctic Wolf said the malicious logins were directed at default admin accounts. In many cases, successful intruders exported device configurations after gaining access, potentially exposing network topology, VPN settings and hashed credentials.

Cyber extortion gang ShinyHunters is threatening to publish data belonging to premium subscribers of sex website Pornhub. The cybercriminal gang took responsibility for stole more than 200 million records belonging to Pornhub Premium users, reported BleepingComputer. The gang, mostly adolescent Westerners, may have stolen the information by breaking into web analytics firm Mixpanel.

Pornhub has told users that its systems were not broken into and that hackers did not obtain passwords, payment details or financial information.

Mixpanel has said it is not the source of the stolen Pornhub data. The company on Nov. 27 did disclose a smishing incident. ChatGPT maker OpenAI acknowledged that some of its API users had data exposed in the incident. But Mixpanel has been telling media outlets that it finds no indication that Pornhub data “was stolen from Mixpanel during our November 2025 security incident or otherwise.”

Texas Attorney General Ken Paxton sued five leading television manufacturers – Sony, Samsung, LG, Hisense and TCL – alleging that the companies unlawfully surveilled viewers through invasive smart TV tracking technology.

According to the filings, the companies embedded automatic content recognition software and captured screenshots and audio-visual data without consumers’ informed consent. In some cases, the technology recorded data every 500 milliseconds, and in others, as often as every 10 milliseconds, enabling near-continuous monitoring of what consumers viewed inside their homes. The lawsuits assert that the surveillance extended beyond streaming apps to include HDMI-connected devices, such as gaming consoles, laptops, cable boxes and even security camera feeds.

The lawsuits allege that the televisions continued collecting data even when disconnected from the internet and transmitted that information once connectivity was restored. The data was allegedly used to build detailed consumer profiles capable of inferring sensitive personal attributes, including political beliefs, religious views, health interests and family characteristics.

Paxton accused the companies of using deceptive consent mechanisms, including one-click opt-ins during setup and complex and opt-outs requiring multiple steps, effectively denying consumers meaningful choice.

A cyber incident at major auto finance technology provider 700Credit exposed the sensitive personal information of nearly 6 million U.S. consumers. In a notice posted on its website, 700Creadit said suspicious activity was detected on Oct. 25, when an unauthorized third party accessed data stored in the application layer of its 700Dealer.com platform, used by nearly 18,000 auto dealerships to process credit and compliance checks. Exposed information includes names, addresses and Social Security numbers and dates of birth. The incident reportedly affected 5.8 million individuals.

700Credit said forensic investigators found no evidence that its internal network was compromised and reported no disruption to business operations. The company also said it has not identified any confirmed cases of identity theft, fraud or misuse of the exposed information, though the investigation remains ongoing.

Michigan Attorney General Dana Nessel advised consumers to be vigilant for phishing emails.

CyberVolk, a pro-Russia hacktivist group that cybersecurity researchers have found to originate in India, relaunched ransomware attacks in 2025. But much-touted improvements in its new platform, VolkLocker, appear to come with fundamental missteps.

Cybersecurity researchers at SentinelOne say CyberVolk’s return follows a disruption earlier this year, when its Telegram infrastructure was repeatedly taken down. The group has since rebuilt its operation around VolkLocker, a Golang-based ransomware train designed to run on both Windows and Linux systems.

On paper, the model is streamlined. Would-be affiliates can generate customized payloads by selecting configuration options such as cryptocurrency wallets, encryption deadlines and Telegram bot integrations. Command-and-control and affiliate communications are also handled through Telegram, reducing the technical effort required to deploy attacks.

But the platform suffers from a glaring design flaw. The master encryption key is hard-coded into the binary and also dumped in plaintext on the victim system, effectively allowing recovery of encrypted files without paying a ransom.

Other Stories From Last Week