Argentinian e-commerce giant Mercado Libre has confirmed “unauthorized access” to a part of its source code on Tuesday.
Mercado also said that data of around 300,000 of its users was accessed by the threat actors.
The company’s announcement follows a poll by the data extortion group, Lapsus$ in which they threatened to leak data allegedly stolen from Mercado and other large companies.
User Data Accessed
In its press release and Form 8-K filing, MercadoLibre confirmed that a part of its source code had been subject to unauthorized access.
Data of Mercado Libre’s 300,000 users was also accessed according to its initial analysis. At the moment, it does not appear that Mercado’s IT infrastructure was affected or that sensitive information has been compromised.
The company said it has activated security protocols and a thorough analysis is in progress.
“We have not found any evidence that our infrastructure systems have been compromised or that any users’ passwords, account balances, investments, financial information, or credit card information were obtained. We are taking strict measures to prevent further incidents,” said Mercado.
Headquartered in Buenos Aires, Mercado Libre makes up Latin America’s largest e-commerce and payments ecosystem. It has an active user base of around 140 million unique users across 18 different countries.
Lapsus$
Data extortion group Lapsus$ claims to have accessed 24,000 source code repositories of both MercadoLibre and Mercado Pago, according to multiple reports.
A Telegram channel run by Lapsus$ posted a poll on Monday, mockingly asking users to vote for the company whose data Lapsus$ should leak next.
The list of alleged victims also includes Portuguese media conglomerate Impresa and British multinational telecommunications company Vodafone. Lapsus$ said that the poll will close on March 13th, 2022 at midnight.
This attack resembles Lapsus$’s leak of 190 GB-large archives last week that the group claimed contained “confidential Samsung source code.” Samsung confirmed that the threat actors had indeed breached its network that week and stole confidential information, including source code present in Galaxy smartphones.
Extortion groups like Lapsus$ breach victims by stealing and holding onto their proprietary data. They then publish the data online if their extortion demands are not met.
Earlier in March, Lapsus$ claimed responsibility for a data breach at NVIDIA, an American chipmaker giant. The breach resulted in the theft of more than 71,000 NVIDIA employee credentials, with some credentials even being leaked online.