Mercari, an e-commerce platform, has disclosed a major data breach that occurred as a result of the Codecov supply-chain attack. Mercari is a publicly listed Japanese online marketplace that has recently expanded its operations to the United States and the United Kingdom. 

As of 2017, the Mercari app had been installed by over 100 million people around the globe, making the firm the first in Japan to achieve unicorn status. Codecov, a popular code coverage tool, was the victim of a two-month supply-chain attack. During these two months, the hackers modified the legal Codecov Bash Uploader tool to exfiltrate environment variables from Codecov customers’ CI/CD environments (which included sensitive information such as keys, tokens, and credentials). 

The popular code coverage tool Codecov was a victim of a supply-chain attack that lasted for two months. During this two-month period, the attackers have modified the legitimate Codecov Bash Uploader tool to exfiltrate environment variables (containing sensitive information such as keys, tokens, and credentials) from Codecov customers’ CI/CD environments. 

Using the credentials gathered from the tampered Bash Uploader, Codecov attackers managed to hack hundreds of customer networks. Now, the e-commerce giant Mercari has disclosed a major impact from the Codecov supply-chain attack on its customer data. The e-commerce platform has confirmed that the Codecov breach exposed tens of thousands of customer data, including financial details, to threat actors. 

According to Mercari, the following details have been compromised as a result of the investigation: 

• Between August 5, 2014, and January 20, 2014, there were 17,085 records related to the transfer of sales proceeds to customer accounts. The leaked data included bank code, branch code, account number, the account holder (kana), and the transfer amount. 

• For a select few, 7,966 records on ‘Mercari’ and ‘Merpay’ business associates were revealed, including names, dates of birth, affiliations, e-mail addresses, and more. 

• There are 2,615 documents on certain workers, including those who work for Mercari. Employee names, company email address, employee ID, phone number, date of birth, and other information as of April 2021. 

• Details of previous staff, vendors, and external company employees who dealt with Mercari 217 customer service support cases between November 2015 and January 2018. 

• Customer information exposed includes name, address, e-mail address, phone number, and inquiry material. 

• There are 6 records related to a May 2013 incident. Shortly after Codecov’s initial disclosure in mid-April, Mercari became aware of the consequences of the Codecov breach.

Mercari was also notified by GitHub on April 23rd of suspicious behavior linked to the incident seen on Mercari’s repositories. As Mercari found that a malicious third party had obtained and manipulated their authentication credentials, the company deactivated the compromised credentials and secrets immediately, while continuing to investigate the full scope of the breach.

"At the same time as this announcement, we will promptly provide individual information to those who are subject to the information leaked due to this matter, and we have also set up a dedicated contact point for inquiries regarding this matter," Mercari stated in its original press release.

"In the future, we will continue to implement further security enhancement measures and investigate this matter while utilizing the knowledge of external security experts, and will promptly report any new information that should be announced. We sincerely apologize for any inconvenience and concern caused by this matter," the company further added.