E-commerce platform Mercari has disclosed a major data breach incident that occurred due to exposure from the Codecov supply-chain attack.
Mercari is a Japanese public company and an online marketplace which has recently expanded its operations to the United States and United Kingdom.
The Mercari app has been downloaded by more than 100 million users worldwide as of 2017, and the company is the first in Japan to reach unicorn status.
The popular code coverage tool Codecov was a victim of a supply-chain attack that lasted for two months. During this two-month period, the attackers have modified the legitimate Codecov Bash Uploader tool to exfiltrate environment variables (containing sensitive information such as keys, tokens, and credentials) from Codecov customers’ CI/CD environments.
Codecov attackers managed to breach hundreds of customer networks by using the credentials gathered from the tampered Bash Uploader.
Now, the e-commerce giant Mercari has disclosed major impact from the Codecov supply-chain attack on its customer data.
The company has confirmed that tens of thousands of customer records, including financial information, were exposed to external actors due to the Codecov breach.
Based on the investigation conducted, Mercari states that the compromised records include:
- 17,085 records related to the transfer of sales proceeds to customer accounts that occurred between August 5, 2014 and January 20, 2014. The exposed data includes bank code, branch code, account number, account holder (kana) and transfer amount.
- 7,966 records on business partners of “Mercari” and “Merpay,” including names, date of birth, affiliation, e-mail address, etc. exposed for a few.
- 2,615 records on some employees including those working for a Mercari subsidiary. Names of some employees current as of April 2021, company email address, employee ID, telephone number, date of birth, etc. Details of past employees, some contractors, and employees of external companies who interacted with Mercari
- 217 customer service support cases registered between November 2015 and January 2018. Exposed data includes customer name, address, e-mail address, telephone number, and inquiry content.
- 6 records related to an event that occurred in May 2013.
Mercari became aware of the impact from the Codecov breach shortly after Codecov’s initial disclosure made in mid-April.
On April 23rd, GitHub also notified Mercari of suspicious activity related to the incident seen on Mercari’s repositories.
When Mercari determined that a malicious third party had acquired and misused their authentication credentials, the company immediately deactivated the compromised credentials and secrets and continued investigating the full impact of the breach.
On April 27, Mercari discovered that some of its customer information and source code had been illicitly accessed by unauthorized external parties.
Mercari has now concluded its investigation and has published the disclosure today.
Those users whose information has been compromised were notified by the company and they also notified relevant authorities, including the Personal Information Protection Commission, Japan, of this data breach.
The company apologised for the inconvenience caused and stated that they will continue to implement further security enhancement measures and investigate this matter while utilizing the knowledge of external security experts, and will promptly report any new information that should be announced.