iFood Confirms Data Breach Affecting 1.2 Million Brazilian Users
Brazilian food delivery app iFood has acknowledged a data breach that exposed sensitive information of approximately 1.2 million users roughly 2% of its customer base. The incident, which occurred in December 2025, was disclosed by the company on June 3, 2026, following unauthorized access to user data.
The breach compromised names, phone numbers, addresses, and CPF numbers Brazil’s critical taxpayer identification documents used in financial and legal transactions. iFood confirmed that passwords, bank details, and credit card information remained unaffected. The company dismissed earlier claims by hackers on BreachForums, who alleged the theft of 43.8 million records, stating no evidence supports such a large-scale impact. However, some threat actors suggest the admitted breach may be an older, separate incident, leaving the possibility of a more recent, larger leak unresolved.
Under Brazil’s LGPD (General Data Protection Law), iFood determined the breach did not meet the threshold for mandatory user notifications, as the National Data Protection Authority (ANPD) exempts incidents deemed low-risk. Despite this, the exposure of CPF numbers raises concerns over potential identity fraud. iFood has advised users to rely only on official app communications for security updates.
Source: https://www.scworld.com/brief/ifood-confirms-data-breach-affecting-1-2-million-users
iFood TPRM report: https://www.rankiteo.com/company/ifood-
"id": "ifo1780619271",
"linkid": "ifood-",
"type": "Breach",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1,200,000',
'industry': 'Food Delivery',
'location': 'Brazil',
'name': 'iFood',
'type': 'Company'}],
'customer_advisories': 'Advised users to rely only on official app '
'communications for security updates',
'data_breach': {'number_of_records_exposed': '1,200,000',
'personally_identifiable_information': 'Names, phone numbers, '
'addresses, CPF '
'numbers',
'sensitivity_of_data': 'High (CPF numbers, addresses, phone '
'numbers)',
'type_of_data_compromised': 'Personally Identifiable '
'Information (PII)'},
'date_detected': '2025-12',
'date_publicly_disclosed': '2026-06-03',
'description': 'Brazilian food delivery app iFood has acknowledged a data '
'breach that exposed sensitive information of approximately '
'1.2 million users, roughly 2% of its customer base. The '
'incident compromised names, phone numbers, addresses, and CPF '
'numbers. The company confirmed that passwords, bank details, '
'and credit card information remained unaffected.',
'impact': {'data_compromised': 'Names, phone numbers, addresses, CPF numbers',
'identity_theft_risk': 'High (due to CPF exposure)',
'payment_information_risk': 'None (credit card information '
'unaffected)'},
'investigation_status': 'Ongoing (possibility of larger, unresolved leak)',
'references': [{'source': 'BreachForums (hacker claims)'}],
'regulatory_compliance': {'regulations_violated': 'LGPD (General Data '
'Protection Law)',
'regulatory_notifications': 'Exempted from '
'mandatory user '
'notifications '
'(low-risk '
'determination by '
'ANPD)'},
'response': {'communication_strategy': 'Advised users to rely only on '
'official app communications for '
'security updates'},
'title': 'iFood Data Breach Affecting 1.2 Million Brazilian Users',
'type': 'Data Breach'}