2021.5.22
Press release

Mercari’s Response to the Codecov Vulnerability and Related Notification on Personal Information Exposure

*The following document is a translation of our Japanese press release.

Mercari, Inc. has confirmed that, due to a vulnerability identified in Codecov (an external code coverage tool* that is used within the company), part of our source code was accessed without authorization. A limited set of personal information that was exposed in our source code (detailed below) was also accessed as a result.

– 17,085 records of information concerning payouts of sales proceeds to users in Japan carried out on the Mercari marketplace app between August 5, 2013, and January 20, 2014;
– 217 records of information related to customer service support between November 2015 and January 2018;
– 6 records of information related to an event held in May 2013;
– 7,966 records of information related to a limited number of business partners of Mercari and Merpay;
– 2,615 records of information concerning a limited number of employees of Mercari Group
*A tool that measures test code coverage (the proportion of a program’s source code that has been put through automated testing.

The details of this incident and Mercari’s response are outlined below.

1. Background of the Incident

On April 15, 2021, Codecov LLC, which operates the external code coverage tool Codecov, made a public announcement regarding the compromise of their Bash Uploader script by a third party.

Summary of Codecov LLC’s announcement:

Beginning January 31, 2021, there were periodic, unauthorized alterations of Codecov’s Bash Uploader script by a third party. Due to this unauthorized access, there is a possibility that companies and users using Codecov during this time may have had credentials, tokens, or keys that would be accessible when the Bash Uploader script was executed leaked. Additionally, this may have leaked any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
(Details: https://about.codecov.io/security-update/)

As a result of this announcement we became aware that there was a possibility that credentials in our continuous integration (CI) environment connected to Codecov had been exfiltrated, and on April 16 we began revoking all credentials that were exposed in our CI environment.

On April 23, we received a notification from GitHub, Mercari’s source code management system provider, explaining that part of our source code stored on GitHub may have been impacted by the Codecov incident. We promptly requested detailed logs from GitHub and discovered that a third party had used credentials exfiltrated through Codecov to access part of our source code without authorization. The affected source code repositories also contained some internal credentials, which we immediately took action to revoke. (*We confirmed that the unauthorized access to GitHub occurred several times starting January 31, and then again concentrated between April 13 and April 18. We promptly revoked the credentials used for unauthorized access to GitHub and observed no further access thereafter.

We set the resolution of this issue as the company’s top priority, established an emergency task force, and immediately reported the incident to the relevant authorities. Additionally, in order to prevent further unauthorized access, we began investigating all of the source code that had been accessed to check for credentials and other sensitive information and rotating all credentials exposed in the source code.

In the course of our investigation, on April 27, we discovered that some user information was exposed in the source code. However, as announcing this matter immediately could have led to further attacks and additional damage, we decided to 1) give top priority across the entire company to preventing further unauthorized access and identifying the scope of impact and 2) notify those whose information was exposed and make our external announcement as soon as possible after measures to prevent further damage were completed. We reported this decision to the Personal Information Protection Commission and other relevant third parties.

Now that our initial response and investigation have concluded, we have decided to publish this press release to inform everyone of the situation.

2. Impact on Mercari

As of May 21, we have completed our primary investigation of the incident. At present, the information confirmed to have been exposed is as follows:

– Part of the source code for Mercari (including Mercari US and past services) and Merpay stored on GitHub

– The following information regarding a limited number of business partners and Mercari Group employees included in the exposed source code:

・Mercari (Japan) data including some user information

Information concerning payouts of sales proceeds to users carried out between August 5, 2013, and January 20, 2014 (bank codes, branch codes, account numbers, account holder names (katakana), amount transferred): 17,085 records

Information related to customer service support between November 2015 and January 2018 (names, addresses, email addresses, telephone numbers, content of inquiries): 217 records

Information related to an event held in May 2013 (names, ages, genders, email addresses): 6 records
*At present, we have not confirmed any user information related to Merpay or Mercari US to have been impacted.

Information related to a limited number of business partners of Mercari and Merpay:

Merpay merchant information (individual business owner names): 7,925 records

Mercari/Merpay business partner information (names, dates of birth, organization names, email addresses, etc.): 41 records

Information concerning employees of Mercari Group (names, company email addresses, employee ID numbers, phone numbers, dates of birth, etc. of a limited number of employees, including past employees and some outsourced employees, dated April 2021): 2,615 records

As of this announcement, there has been no damage to users stemming from this incident. We have also confirmed that there was no additional unauthorized access or impact to the services that we operate. If any new information arises we will disclose it promptly.

3. Cause

Unauthorized access and modification of the external code coverage tool Codecov’s Bash Uploader script by a third party.

4. Mercari’s Initial Response

As of May 21, we have finished implementing the following countermeasures and conducting a primary investigation of the incident’s impact in order to prevent further unauthorized access. We have also suspended use of Codecov after discovering this incident.

– Investigating and resetting (revoking/rotating) all impacted credentials

– Identifying the scope of impact and enhancing security measures

Primary investigation of personal information stored on GitHub*

Full investigation of whether there was further unauthorized access using credentials exposed in the source code*

**We have rules prohibiting the storage of personal information and credentials on GitHub. However, given this incident, we are carrying out an investigation into whether similar cases exist with the help of external organizations.

–  Notifying parties whose information was exposed and establishing dedicated points of contact

With this announcement, we will promptly begin directly contacting parties whose information may have been compromised. We have also established dedicated points of contact for inquiries regarding this incident.

–  Reporting to the Personal Information Protection Commission and other relevant third parties

After discovering this incident on April 23, we reported the incident to the Personal Information Protection Commission and other relevant third parties. We are sharing information with these organizations and reporting to them in an effort to prevent further damage.

5. Next Steps

We have leveraged the expertise of external security specialists to further strengthen our security measures and ensure the thoroughness of our investigation regarding the incident, and we will report additional updates as necessary.

As there is a possibility that many companies and vendors both inside and outside of Japan have been affected by the Codecov vulnerability, we will continue to work with relevant organizations to minimize the impact of this incident.

6. Support and Contact Information

Our support for parties whose information may have been compromised is detailed below. We have also established dedicated points of contact for inquiries regarding this incident.

We deeply apologize to everyone affected by this for the concern and inconvenience this may cause.

1) Information regarding Mercari users in Japan

Our response:
Mercari has begun directly contacting those whose information may have been accessed without authorization to explain the situation. Affected parties fall into the following groups of exposed information:

– Information concerning payouts of sales proceeds to users carried out between August 5, 2013, and January 20, 2014

– Information related to customer service support between November 2015 and January 2018

– Information related to an event held in May 2013

For questions:
We have established a dedicated point of contact for users who have confirmed that their information may have been compromised.

Please read through the following guide.

Contacting Mercari regarding compromised user information
https://www.mercari.com/jp/help_center/article/1159/ (only available in Japanese)

We have also established a dedicated page for users to check if their information was included in the information concerning payouts of sales proceeds to users.

Check if your bank account information may have been compromised
Click the following link and log in to see if your information may have been compromised.
https://www.mercari.com/jp/mypage/check_information/202105/ (only available in Japanese)

*If you cannot log in or have deleted your account, please contact us through the point of contact linked above.

For Mercari users in the United States: After conducting an extensive review, we have confirmed that no user data in the US has been compromised as a result of this incident.

 

2) Information regarding Mercari and Merpay’s business partners

Our response:
Mercari and Merpay have begun directly contacting those partners whose information may have been compromised to provide guidance and explain the situation.

For questions:
Mercari and Merpay are already directly contacting these partners, but please contact the dedicated email address below with further questions or concerns.

support-mercarigroup-partner@mercari.com (Mercari Group Partner Support)

 

3) Information regarding Mercari Group employees

*Including former employees and some outsourced employees

Our response:
Mercari has begun directly contacting those whose information may have been compromised to explain the situation.

For questions:
We are already directly contacting these individuals, but please contact the dedicated email address below if you think your information may have been compromised or you have other concerns.

mercarigroup-employeesupport@mercari.com (Mercari Group HR)

Mercari Group understands the gravity of this situation, and we will continue to work towards strengthening security measures across the group to ensure users can enjoy a safe and secure service.

Again, we are truly sorry for any concern and inconvenience this incident may cause.

Related information: Our response to this unauthorized third-party access