This week, the Argentinian e-commerce behemoth Mercado Libre disclosed “unauthorized access” to a portion of its source code. According to the company, threat actors allegedly gained access to the data of about 300,000 of Mercado’s users. The news comes after Lapsus$, a data extortion gang, threatened to publish data purportedly taken from Mercado and other vital corporations in a poll.
MercadoLibre revealed today in a press statement and a Form 8-K filing that unauthorized access to a portion of its source code had occurred. According to the first research, the data of MercadoLibre’s 300,000 users was also accessed. It doesn’t look that Mercado’s IT infrastructure has been harmed or that critical data has been compromised at this time. The firm said that security mechanisms had been engaged, and a thorough investigation is underway.
“We have not found any evidence that our infrastructure systems have been compromised or that any users’ passwords, account balances, investments, financial information, or credit card information were obtained. We are taking strict measures to prevent further incidents,” says Mercado.
MercadoLibre is Latin America’s largest e-commerce and payments platform, with headquarters in Buenos Aires. Argentina, Brazil, Mexico, Colombia, Chile, Venezuela, and Peru are among the eighteen countries with a user base of around 140 million unique active users. Mercado Libre, Inc., the company’s American branch, operates online markets such as mercadolibre.com.
Lapsus$ claims to have gained access to 24,000 source code repositories from MercadoLibre and Mercado Pago. On March 7th, a Lapsus$ Telegram channel posted a poll, mockingly asking members to vote for the firm whose data Lapsus$ should leak next. Impresa and Vodafone are also on the list of accused victims. According to Lapsus $, the poll will conclude at 00:00 on March 13th, 2022.
Extortion gangs like Lapsus$ hack victims, but instead of encrypting private information like ransomware, they steal and hang on to victims’ proprietary material, which they then disseminate if their extortion demands are not satisfied. Earlier this month, Lapsus$ claimed responsibility for a data breach at NVIDIA, the American chipmaker. Over 71,000 NVIDIA employee identities were stolen in the attack, with some information exposed online.
