Brazilian meals supply app iFood has confirmed turning into the sufferer of an information breach in December 2025 that affected 1.2 million customers (which makes up about 2% of its buyer base). In line with the iFood announcement on Wednesday, June 3, the incident was an remoted concern the place hackers took names, cellphone numbers, addresses, and CPF numbers.
Like Social Safety Numbers (SSN) in the US, CPFs are Brazilian taxpayer identification paperwork used in every single place for on a regular basis duties like opening financial institution accounts, buying, and verifying identification. Happily, iFood clarified that hackers didn’t get passwords, financial institution particulars, or bank card data.
For context, iFood’s Android app has greater than 100 million downloads, whereas its iOS app can be extraordinarily well-liked in Brazil.
The Debate Over Numbers
iFood’s affirmation follows a disagreement over the assault’s dimension when, on Might 28, 2026, a hacker utilizing the alias bacen posted claims of stealing round 43.8 million buyer data from the app. The hacker’s submit on BreachForums got here with a menace to leak the information in phases and improve the value until iFood paid a ransom by June 10.
Nonetheless, iFood strongly denied these huge numbers. The corporate stated it discovered no proof that 43 million folks have been affected. But, the story took one other flip. In line with Brazilian information website TecMundo’s report, hackers are rejecting the official story from iFood. A hacker named Harold advised TecMundo that the 1.2 million leak iFood admitted to is a wholly separate safety concern from December, and their bigger, more moderen theft would possibly nonetheless be actual.
Authorized Considerations and Dangers
This example is inflicting folks to look intently at Brazil’s knowledge safety legislation, often known as LGPD. This legislation units the foundations for a way firms ought to deal with personal knowledge. iFood selected to not ship formal alerts to the affected customers. The corporate defined that beneath the foundations of Brazil’s knowledge safety authority, the ANPD, firms don’t have to notify customers if an incident doesn’t create an actual hazard or hurt to them.
“The incident was dealt with and assessed in strict compliance with the legislation, which waives reporting and communication when the occasion doesn’t create related danger or injury to knowledge holders, in accordance with regulatory standards outlined by the ANPD,” the corporate’s assertion reads.
Nonetheless, it’s a regarding scenario as a result of CPF numbers are extremely invaluable to scammers who need to commit identification fraud. iFood stated its security methods stopped the difficulty shortly and urged clients to solely belief messages despatched by way of its official app.
