Brazilian food delivery app iFood said a data breach in December affected 1.2 million users, or about 2% of its customer base, exposing names, phone numbers, addresses and CPF numbers.
KEY FACTS
- Impact The company said 1.2 million users were affected.
- Data exposed Names, phone numbers, addresses and CPF numbers were taken.
- Not exposed Passwords, bank details and credit card records were not accessed.
- Claim A hacker on BreachForums said 43.8 million records were stolen.
The disclosure said the incident was isolated and was handled in compliance with Brazil’s data protection rules. iFood said it did not send formal notices to affected users because the event did not create relevant risk or damage under ANPD criteria.
Brazilian CPF numbers are widely used for identity checks and everyday transactions, which can make them valuable to scammers. The company said its security systems contained the issue quickly and urged customers to trust only messages sent through its official app.
Questions remain over the scale of the attack. A hacker using the alias bacen claimed on BreachForums that 43.8 million customer records had been stolen and threatened to leak the data in stages unless a ransom was paid by June 10. The company denied that figure.
According to a company statement, the affected data did not include passwords or payment information. TecMundo reported that hackers disputed iFood’s account and said the 1.2 million-user case was separate from the larger claim.
WHY IT MATTERS
The case shows how even limited data leaks can create identity fraud risks when CPF numbers are exposed. It also highlights the uncertainty that can follow breach claims when companies and alleged attackers give conflicting accounts.