E-commerce giant Mercado Libre confirms data breach in source code

mercado libre

Argentina’s e-commerce giant Mercado Libre this week confirmed “unauthorized access” to some of its source code.

Mercado also says that the data of about 300,000 of its users has been used by threat actors.

The company’s announcement follows a poll by the data extortion group Lapsus$ in which they threatened to leak data allegedly stolen from Mercado and other prominent companies.

Consulted data from 300,000 MercadoLibre users

In a press release and Form 8-K filing that BleepingComputer saw today, MercadoLibre confirmed that some of the source code was subject to unauthorized access.

In addition, data from MercadoLibre’s 300,000 users was accessed according to the initial analysis. At this time, it does not appear that Mercado’s IT infrastructure has been compromised or sensitive information has been compromised.

It’s not clear at this time if the information of these 300,000 Mercado users is stored in any of the source code repos – a practice BleepingComputer has encountered before when reporting on some data breach cases.

The company says it has activated security protocols and that a thorough analysis is underway.

“We have found no evidence that our infrastructure systems have been compromised or that passwords, account balances, investments, financial information or credit card information have been obtained from users. We are taking strict measures to prevent further incidents,” Mercado said.

MercadoLibre, headquartered in Buenos Aires, is Latin America’s largest e-commerce and payments ecosystem.

The company has a user base of approximately 140 million unique active users and is present in 18 countries, including Argentina, Brazil, Mexico, Colombia, Chile, Venezuela and Peru.

The US branch of the company, Mercado Libre, Inc. operates online marketplaces, including mercadolibre.com.

Lapsus$ Claims to Have Breached 24,000 Repos

Data extortion group Lapsus$ claims to have had access to 24,000 source code sources of both MercadoLibre and Mercado Pago, according to BleepingComputer.

A Telegram channel run by Lapsus$ published a poll on March 7, mockingly asking users to vote for the company whose data Lapsus$ should leak next.

The list of alleged victims also includes Impresa and Vodafone. According to Lapsus$, the poll closes at 12:00 AM on March 13, 2022.

lapse telegram chatLapsus$Telegram chat with alleged victims (BleepingComputer)

The development resembles Lapsus$’s leak last week of 190GB large archives that the group claimed contained “confidential Samsung source code”. That same week, Samsung confirmed that threat actors had indeed breached its network and stolen confidential information, including source code present in Galaxy smartphones.

Extortion groups such as Lapsus$ compromise victims, but unlike encrypting confidential files as a ransomware operator would do, these actors steal and hold victims’ proprietary information, and publish it if their extortion demands are not met.

Earlier this month, Lapsus$ claimed responsibility for a data breach at US chipmaker giant NVIDIA. The breach resulted in the theft of more than 71,000 NVIDIA employee credentials, some of which had been leaked online.

This post E-commerce giant Mercado Libre confirms data breach in source code

was original published at “https://www.bleepingcomputer.com/news/security/e-commerce-giant-mercado-libre-confirms-source-code-data-breach/”