iFood Confirms Data Breach Affecting 1.2 Million Users in Brazil

Summary

Brazilian food delivery app iFood confirmed a December 2025 data breach affecting 1.2 million users (2% of its customer base), exposing names, phone numbers, addresses, and CPF numbers. Hackers on BreachForums claiming the alias "bacen" initially alleged a much larger theft of 43.8 million records with ransom demands, though iFood denied these numbers. A secondary hacker source suggested the larger breach may be separate and still unresolved.

Full text

Data BreachesiFood Confirms Data Breach Affecting 1.2 Million Users in Brazil iFood confirms a data breach affecting 1.2 million customers in Brazil, while hackers on BreachForums claim the actual theft is much larger. byDeeba AhmedJune 4, 20262 minute read Brazilian food delivery app iFood has confirmed becoming the victim of a data breach in December 2025 that affected 1.2 million users (which makes up about 2% of its customer base). According to the iFood announcement on Wednesday, June 3, the incident was an isolated issue where hackers took names, phone numbers, addresses, and CPF numbers. Like Social Security Numbers (SSN) in the United States, CPFs are Brazilian taxpayer identity documents used everywhere for everyday tasks like opening bank accounts, shopping, and verifying identity. Fortunately, iFood clarified that hackers did not get passwords, bank details, or credit card records. Data breach details and Hacker’s post on BreachForums (Credit: Hackread.com) For context, iFood’s Android app has more than 100 million downloads, while its iOS app is also extremely popular in Brazil. The Debate Over Numbers iFood’s confirmation follows a disagreement over the attack’s size when, on May 28, 2026, a hacker using the alias bacen posted claims of stealing around 43.8 million customer records from the app. The hacker’s post on BreachForums came with a threat to leak the data in stages and increase the price unless iFood paid a ransom by June 10. However, iFood strongly denied these massive numbers. The company said it found no proof that 43 million people were affected. Yet, the story took another turn. According to Brazilian news site TecMundo’s report, hackers are rejecting the official story from iFood. A hacker named Harold told TecMundo that the 1.2 million leak iFood admitted to is an entirely separate security issue from December, and their larger, more recent theft might still be real. Legal Concerns and Risks This situation is causing people to look closely at Brazil’s data protection law, known as LGPD. This law sets the rules for how companies should handle private data. iFood chose not to send formal alerts to the affected users. The company explained that under the rules of Brazil’s data protection authority, the ANPD, companies don’t need to notify users if an incident doesn’t create a real danger or harm to them. “The incident was handled and assessed in strict compliance with the law, which waives reporting and communication when the event does not create relevant risk or damage to data holders, according to regulatory criteria defined by the ANPD,” the company’s statement reads. Still, it is a concerning situation because CPF numbers are highly valuable to scammers who want to commit identity fraud. iFood said its safety systems stopped the issue quickly and urged customers to only trust messages sent through its official app. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts BrazilCyber AttackCybersecuritydata breachData leakFood DeliveryiFoodPrivacy Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Data Breaches Leaks Privacy HealthTech Database Exposed 108GB Medical and Employment Records A misconfigured database exposed 108.8 GB of sensitive data, including information on over 86,000 healthcare workers affiliated with… byWaqas Read More Security Data Breaches Leaks Privacy AI Firm’s Misconfigured Server Exposed 5.3 TB of Mental Health Records A misconfigured server from a US-based AI healthcare firm Confidant Health exposed 5.3 TB of sensitive mental health… byDeeba Ahmed Read More Security Data Breaches Leaks Hacker Accesses Millions of IMDataCenter Records from Exposed AWS Bucket Florida firm IMDataCenter exposed 38GB of sensitive data including names, emails and ownership info. At least one hacker accessed and downloaded the files. byWaqas Read More Data Breaches Hacking News Security Researcher Wipes White Supremacist Dating Sites, Leaks Data on okstupid.lol Security researcher in "Martha Root" in Pink Power Ranger deletes white supremacist dating sites live onstage, leaks 8,000 profiles and 100GB of data at Chaos Communication Congress (CCC) 2025. byWaqas

Entities