Mercari, an e-commerce platform, has revealed a significant data breach that occurred as a result of the Codecov supply-chain attack.
Mercari is a publicly listed Japanese online marketplace that has recently expanded into the United States and the United Kingdom.
As of 2017, the Mercari app had been downloaded by over 100 million people around the world, making the company the first in Japan to achieve unicorn status.
Codecov, a popular code coverage tool, was the target of a two-month supply-chain attack.
During this two-month period, the attackers changed the legal Codecov Bash Uploader tool to exfiltrate environment variables from Codecov customers’ CI/CD environments (which included sensitive information such as keys, tokens, and credentials).
Using the credentials obtained from the tampered Bash Uploader, Codecov attackers were able to hack hundreds of customer networks.
Now, the e-commerce giant Mercari has revealed that the Codecov supply-chain attack had a significant effect on its customer details.
The company has acknowledged that the Codecov breach exposed tens of thousands of customer data, including financial details, to external actors.
You might also like: Cybersecurity expert asks Flipkart users to change their passwords
According to Mercari, the following records have been compromised as a result of the investigation:
- Between August 5, 2014 and January 20, 2014, there were 17,085 records related to the transfer of sales proceeds to customer accounts.
- Bank code, branch code, account number, account holder (kana), and transfer amount are among the data exposed.
- For a select few, 7,966 records on “Mercari” and “Merpay” business associates were revealed, including names, dates of birth, affiliations, e-mail addresses, and more.
- There are 2,615 documents on certain workers, including those who work for Mercari. Employee names, company email address, employee ID, phone number, date of birth, and other information as of April 2021.
- Details of previous staff, vendors, and external company employees who dealt with Mercari 217 customer service support cases between November 2015 and January 2018.
- Customer information exposed includes name, address, e-mail address, phone number, and inquiry material.
- There are 6 records linked to a May 2013 incident.
In the infographic below, Mercari depicts the data breach and how this data was revealed to third-party actors:
Shortly after Codecov’s initial disclosure in mid-April, Mercari became aware of the consequences of the Codecov breach.
Mercari was also notified by GitHub on April 23rd of suspicious behavior linked to the incident seen on Mercari’s repositories.
You might also like: DigitalOcean Data Breach: Customers’ billing data exposed
As Mercari discovered that a malicious third party had obtained and misused their authentication credentials, the company deactivated the compromised credentials and secrets immediately, while continuing to investigate the full scope of the breach.
On April 27, Mercari found that unauthorized external parties had accessed some of its customer information and source code.
Mercari has completed its investigation and released the findings today.
The company told everyone whose details had been compromised, as well as relevant agencies, such as the Personal Information Protection Commission of Japan, about the data breach.
The company apologized for the inconvenience and stated that it would continue to introduce additional security improvement measures and review this matter with the help of external security experts, and that it will immediately disclose any new details that may be made public.