Mercado Libre source-code and user-data breach

In March 2022, Mercado Libre — the largest e-commerce and fintech company in Latin America, headquartered in Buenos Aires — confirmed that the Lapsus$ extortion group had gained unauthorized access to part of its source code and the personal data of roughly 300,000 of its users.

What happened

The breach came to light as part of Lapsus$'s aggressive early-2022 campaign. The group, which operated primarily through a Telegram channel, posted a public poll inviting its followers to vote on which victim's data it should leak next — listing Mercado Libre alongside other targets such as Vodafone and Impresa.

Mercado Libre responded by filing an 8-K disclosure with the U.S. Securities and Exchange Commission, acknowledging that attackers had obtained access to "a certain portion" of its source code. Lapsus$ separately claimed to have reached 24,000 source-code repositories belonging to both Mercado Libre and its payments arm Mercado Pago.

Crucially, the company stated it found no evidence that its infrastructure systems were compromised, or that any user passwords, account balances, investments, financial information, or credit-card data had been obtained. The exposure was limited to a subset of user records and internal code.

Impact

Data of approximately 300,000 users was accessed, per the company's initial analysis.
Lapsus$ claimed access to 24,000 repositories spanning Mercado Libre and Mercado Pago.
No customer funds, credentials, or payment-card data were reported stolen, and there was no operational downtime to the platform.

The Lapsus$ context

Mercado Libre was one node in a remarkable spree by Lapsus$, a loosely organized extortion crew later attributed largely to teenagers in the UK and Brazil. In the same weeks, the group leaked roughly 190 GB of Samsung source code, dumped data from NVIDIA (including more than 71,000 employee credentials), and breached Microsoft and identity provider Okta. Rather than deploying ransomware, Lapsus$ relied on social engineering, SIM-swapping, insider recruitment, and stolen credentials to reach source-code management systems.

Why it matters

The Mercado Libre breach demonstrated that source-code repositories are now prime extortion targets, valuable both as intellectual property and as a map for finding further vulnerabilities. It also showcased Lapsus$'s theatrical, social-media-driven extortion model, which pressured victims through public polls and leaks rather than private negotiation. For Latin America's flagship technology company, the swift, transparent SEC disclosure — and the fact that segmentation kept payment systems untouched — became a comparative case study in containment, even as the incident underscored how exposed even mature engineering organizations are to credential-based intrusions.

Timeline

March 7, 2022

Lapsus$ runs a Telegram poll inviting followers to vote on whose data to leak next, listing Mercado Libre among the targets.

March 7, 2022

Mercado Libre files an 8-K with the U.S. SEC disclosing unauthorized access to part of its source code.

March 8, 2022

The company confirms the data of roughly 300,000 users was accessed but reports no compromise of passwords, balances, or payment data.

March 13, 2022

Lapsus$ poll deadline passes; the group's wider campaign also hits Samsung, NVIDIA, and Microsoft.

March 24, 2022

UK police arrest several teenagers linked to the Lapsus$ group as part of an international investigation.

Sources

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/e-commerce-giant-mercado-libre-confirms-source-code-data-breach/

safetydetectives.comhttps://www.safetydetectives.com/news/argentinian-e-commerce-company-mercado-libre-confirms-source-code-data-breach/

anvilogic.comhttps://www.anvilogic.com/threat-reports/lapsus-breaches-mercado-libre

thecyberwire.comhttps://thecyberwire.com/newsletters/privacy-briefing/4/46

Related incidents

Social engineeringResolvedSeptember 18, 2022

Rockstar Games GTA VI leak (Lapsus$)

A teenage Lapsus$ member breached Rockstar Games' internal Slack and developer systems via social engineering, then leaked roughly 90 in-development clips of the unreleased Grand Theft Auto VI — one of the largest leaks in video-game history.

Victim: Rockstar Games (Take-Two Interactive)
Loss: $5.0M

Social engineeringContainedSeptember 15, 2022

Uber Lapsus$ social-engineering breach

An 18-year-old affiliated with Lapsus$ socially engineered an Uber contractor, defeated MFA through an hour-long push-bombing campaign, then found hardcoded admin credentials on an internal share that unlocked Uber's AWS, G-Suite, Slack, and HackerOne dashboards.

Victim: Uber Technologies

Social engineeringContainedMarch 22, 2022

Okta Lapsus$ third-party support breach

The Lapsus$ extortion group compromised a laptop belonging to a support engineer at Okta subprocessor Sitel, gaining a 25-minute window of access in January 2022 that touched two customer tenants. The breach only became public when Lapsus$ posted screenshots in March.

Victim: Okta (via Sitel/Sykes subprocessor)

Data breachResolvedMay 21, 2014

eBay credentials breach

Attackers used a small number of compromised employee credentials to access eBay's corporate network and exfiltrate a database covering all 145 million users — names, encrypted passwords, email and postal addresses, phone numbers, and dates of birth.

Victim: eBay
Records: 145.0M