Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

E-commerce Giant Suffers Major Data Breach in Codecov Incident

E-commerce Giant Suffers Major Data Breach in Codecov Incident

E-commerce platform Mercari has disclosed a major data breach incident that occurred due to exposure from the Codecov supply-chain attack.

Mercari is a publicly traded Japanese company and an online marketplace that has recently expanded its operations to the United States and the United Kingdom.

The Mercari app has scored over 100 million downloads worldwide as of 2017, and the company is the first in Japan to reach unicorn status.

As earlier reported by BleepingComputer, popular code coverage tool Codecov had been a victim of a supply-chain attack that lasted for two months.

During this two-month period, threat actors had modified the legitimate Codecov Bash Uploader tool to exfiltrate environment variables (containing sensitive information such as keys, tokens, and credentials) from Codecov customers’ CI/CD environments.

Using the credentials harvested from the tampered Bash Uploader, Codecov attackers reportedly breached hundreds of customer networks.

Also Read: Considering Enterprise Risk Management Certification Singapore? Here Are 7 Best Outcomes

Major data leak exposes thousands of customer financial records

Today, e-commerce giant Mercari has disclosed major impact from the Codecov supply-chain attack on its customer data.

The company has confirmed that tens of thousands of customer records, including financial information, were exposed to external actors due to the Codecov breach.

After concluding their investigation today, May 21st, Mercari states that the compromised records include:

  • 17,085 records related to the transfer of sales proceeds to customer accounts that occurred between August 5, 2014 and January 20, 2014.
    • Exposed information includes bank code, branch code, account number, account holder (kana), transfer amount.
  • 7,966 records on business partners of “Mercari” and “Merpay,” including names, date of birth, affiliation, e-mail address, etc. exposed for a few.
  • 2,615 records on some employees including those working for a Mercari subsidiary
    • Names of some employees current as of April 2021, company email address, employee ID, telephone number, date of birth, etc.
    • Details of past employees, some contractors, and employees of external companies who interacted with Mercari
  • 217customer service support cases registered between November 2015 and January 2018.
    • Exposed data includes customer name, address, e-mail address, telephone number, and inquiry content.
  • 6 records related to an event that occurred in May 2013.

Mercari has illustrated the attack and how this data was exposed to third-party actors in the following infographic:

An illustration depicting how the Codecov supply-chain attack impacted Mercari
Source: Mercari

Mercari drops Codecov entirely after month-long investigation

Codecov supply-chain attack timeline updated 21-May-2021 (BleepingComputer)

Mercari became aware of the impact from the Codecov breach shortly after Codecov’s initial disclosure made mid-April.

On April 23rd, GitHub also notified Mercari of suspicious activity related to the incident seen on Mercari’s repositories.

The same day, Mercari began digging deeper and requested GitHub for detailed access logs.

Eventually, Mercari staff determined that a malicious third party had acquired and misused their authentication credentials, accessed Mercari’s private repositories (including source code), and obtained further unauthorized access to its systems between April 13th and April 18th.

On discovery of this attack, Mercari immediately deactivated the compromised credentials and secrets and continued investigating the full impact of the breach.

On April 27, Mercari discovered that some of its customer information and source code had been illicitly accessed by unauthorized external parties.

The company says it had to wait on disclosing the data breach until today because its investigation activities had been ongoing. And until any security weaknesses could be completely identified and remediated, the company risked suffering further attacks and damage.

Mercari has now concluded its investigation and hence come forward with the detailed disclosure today.

Also Read: PDPA Singapore Guidelines: 16 Key Concepts For Your Business

As observed by BleepingComputer, this week, the e-commerce giant also began purging its GitHub repositories from using Codecov anywhere:

Mercari removes Codecov from its GitHub repositories
Source: BleepingComputer

Prior to this, multiple Mercari repositories used the Codecov Bash Uploader that had been compromised, as confirmed by BleepingComputer:

Mercari repos earlier used Codecov Bash Uploader that was compromised
Source: BleepingComputer 

Mercari has individually contacted the people whose information has been compromised, and also notified relevant authorities, including the Personal Information Protection Commission, Japan, of this data breach:

“At the same time as this announcement, we will promptly provide individual information to those who are subject to the information leaked due to this matter, and we have also set up a dedicated contact point for inquiries regarding this matter.”

“In the future, we will continue to implement further security enhancement measures and investigate this matter while utilizing the knowledge of external security experts, and will promptly report any new information that should be announced.”

“We sincerely apologize for any inconvenience and concern caused by this matter,” says Mercari in a rough translation of its original press release.

Today’s disclosure comes after multiple companies have recently come forward with the impact of the Codecov supply-chain attack on their private repositories. These include software manufacturer HashiCorp, cloud communications platform Twilio, cloud services provider Confluent, insurance company Coalition, U.S. cybersecurity firm Rapid7, and workflow management platform

Last month, Codecov also began sending additional notifications to the impacted customers and disclosed a thorough list of Indicators of Compromise (IOCs), i.e. attacker IP addresses associated with this supply-chain attack.

Codecov users should scan their CI/CD environments and networks for any signs of compromise, and as a safeguard, rotate any and all secrets that may have been exposed.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us