iFood Data Breach Exposes 1.2 Million Brazilian Users’ Personal Information
Brazilian food delivery giant iFood confirmed a data breach in December 2025, affecting 1.2 million users approximately 2% of its customer base. The company disclosed the incident on June 3, 2026, revealing that hackers accessed names, phone numbers, addresses, and CPF numbers (Brazil’s taxpayer identification equivalent to U.S. Social Security Numbers). While sensitive financial data, including passwords and credit card details, remained secure, the exposed CPF numbers pose a significant risk for identity fraud.
The breach’s scale became a point of contention after a hacker, operating under the alias bacen, claimed on May 28, 2026, to have stolen 43.8 million records far exceeding iFood’s official figure. The hacker threatened to leak the data in stages unless a ransom was paid by June 10. iFood dismissed the claim, stating no evidence supported the larger breach. However, another hacker, Harold, told Brazilian tech outlet TecMundo that the 1.2 million records acknowledged by iFood were from a separate December incident, suggesting the larger theft may still be valid.
The incident has drawn scrutiny under Brazil’s Lei Geral de Proteção de Dados (LGPD), the country’s data protection law. iFood opted not to notify affected users directly, citing ANPD (Brazil’s data protection authority) guidelines that exempt companies from mandatory disclosure if the breach poses no "relevant risk or damage." Despite this, the exposure of CPF numbers critical for banking, shopping, and identity verification heightens concerns over potential fraud.
With over 100 million downloads on Android alone, iFood remains one of Brazil’s most widely used apps. The company stated its security systems contained the breach swiftly and advised users to rely only on official app communications. The conflicting claims and legal implications continue to unfold as authorities and cybersecurity experts assess the full impact.
Source: https://hackread.com/ifood-confirms-data-breach-brazil-users/
iFood cybersecurity rating report: https://www.rankiteo.com/company/ifood-
"id": "IFO1780597495",
"linkid": "ifood-",
"type": "Breach",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1.2 million',
'industry': 'Food Delivery',
'location': 'Brazil',
'name': 'iFood',
'size': 'Large (100M+ app downloads)',
'type': 'Company'}],
'customer_advisories': 'Advised users to rely only on official app '
'communications',
'data_breach': {'data_encryption': 'No (data was accessed but not encrypted)',
'data_exfiltration': 'Yes (claimed by hackers)',
'number_of_records_exposed': '1.2 million (officially); 43.8 '
'million (claimed by hacker)',
'personally_identifiable_information': 'Yes (CPF numbers, '
'names, addresses, '
'phone numbers)',
'sensitivity_of_data': 'High (CPF numbers)',
'type_of_data_compromised': ['Names',
'Phone numbers',
'Addresses',
'CPF numbers']},
'date_detected': '2025-12',
'date_publicly_disclosed': '2026-06-03',
'description': 'Brazilian food delivery giant iFood confirmed a data breach '
'in December 2025, affecting 1.2 million users (approximately '
'2% of its customer base). The company disclosed the incident '
'on June 3, 2026, revealing that hackers accessed names, phone '
'numbers, addresses, and CPF numbers (Brazil’s taxpayer '
'identification equivalent to U.S. Social Security Numbers). '
'While sensitive financial data, including passwords and '
'credit card details, remained secure, the exposed CPF numbers '
'pose a significant risk for identity fraud.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': 'Names, phone numbers, addresses, CPF numbers',
'identity_theft_risk': 'High (CPF numbers exposed)',
'legal_liabilities': 'Potential under LGPD',
'payment_information_risk': 'None (financial data secure)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Threatened by hacker '
"'bacen'"},
'investigation_status': 'Ongoing',
'motivation': 'Extortion (Ransom Demand)',
'ransomware': {'data_exfiltration': 'Yes (claimed)',
'ransom_demanded': "Yes (by hacker 'bacen')"},
'references': [{'source': 'TecMundo'}],
'regulatory_compliance': {'regulations_violated': 'LGPD (Lei Geral de '
'Proteção de Dados)',
'regulatory_notifications': 'Notified ANPD; no '
'mandatory disclosure '
"due to 'no relevant "
"risk' assessment"},
'response': {'communication_strategy': 'Advised users to rely only on '
'official app communications',
'containment_measures': 'Security systems contained the breach '
'swiftly',
'incident_response_plan_activated': 'Yes'},
'threat_actor': ['bacen', 'Harold'],
'title': 'iFood Data Breach Exposes 1.2 Million Brazilian Users’ Personal '
'Information',
'type': 'Data Breach'}