Theft of personal data from Mercado Libre was worse than expected

The Hack to MercadoLibre of March 6, 2022 affected more Mexican users than initially reported. At the time, this leading company in the electronic commerce sector in Mexico reported that the cybersecurity incident had affected 50,000 Mexican user accounts. Today it is known that there are more. How many? Mercado Libre has not reported it, but it has already begun to notify those affected to take precautions.

“We want to notify you that in March there was unauthorized access to part of the source code of Free market and we detected that some personal data from your account was exposed, such as your e-mail, ”reads an email sent by the company to users in Mexico on Friday, April 22, 47 days after the incident occurred.

“If they contact you on behalf of Mercado Libre, never give them your password or your access codes. The security code it is generated only if you request it through the app or the web. For this reason, no legitimate Mercado Libre employee can generate it for you, nor will they ask you to manage a query,” the email reads.

The Mercado Libre communication team said on Friday to The Economist that these new notifications are not related to a new cybersecurity incident, but to an extension of the effects caused by the March 6 attack.

“In compliance with the strict security protocols and the exhaustive analysis process that we actively maintain from unauthorized access to the source code of Mercado Libre, Inc., more accounts affected by this incident that occurred last March have been identified” , reported Mercado Libre in an informative card for this medium.

On March 6, one or more attackers they violated the computer security of Mercado Libre —a company of Argentine origin listed on the New York Stock Exchange— and accessed the company’s source code. As part of the attack, the intruder(s) managed to obtain personal data from 300,000 user accounts (0.21% of the company’s total); 50,000 of them Mexicans (0.03% of the global total).

On March 9, as part of the responses to a questionnaire sent by El Economista, the Mercado Libre communication team reported that “No user’s account as such was compromised. There was also no compromise of our infrastructure or access to our databases.”

According to that information, the attacker or attackers only obtained account names and the emails linked to them. “There was also no compromise of our infrastructure or access to our databases. No service or platform was affected in its operation.

Free Market is the largest e-commerce provider in Mexico by the volume of its sales, according to data from euro monitor International, a market analysis house based in London. Mercado Libre sales represent 15.4% of the total in the country, above amazon (13.2%), Walmart (9.6%), Liverpool (7.0%) and Coppel (6.8%).

“Always maintaining transparent and timely communication with our users, today [viernes 22 de abril] Pertinent notifications were generated for those recently detected, to make them aware that information such as user passwords, account balances, investments, financial or payment card information has not been compromised in their accounts,” Mercado Libre said in the information card requested by The Economist.

The number of affected accounts in Mexico above the 50,000 accounts initially notified by Mercado Libre is unknown. According to the company, in the communication of March 9 already cited, “the protocols and guidelines that are demanded in this type of situation before the corresponding authorities and entities” have been followed.

Leave a Comment