Portuguese 
English 
Spanish 
7 min of reading 
0 comments 
Criminal group announced a database with CPFs, addresses, and phone numbers, but the federal agency claims there was no compromise of its systems and relates the material to an old incident
An offer published on a forum used by cybercriminals put millions of Brazilians on alert this week. The group responsible for the announcement claimed to have a database with approximately 248.8 million CPF records, as well as company information, addresses, phone numbers, occupations, and corporate links.
The case began to gain attention on Wednesday, June 10, 2026, when the material was disclosed as if it had been taken from a Federal Revenue system. The sellers claimed that the files would total about 78.7 gigabytes and contain more than 1 billion records distributed across different tables.
The Federal Revenue, however, published a note on the morning of Thursday, June 11, denying that its systems had been breached or that its databases had been compromised. The agency classified the information about a recent attack as false and stated that the data would be old, mostly referring to 2019.
-
Airbus will transport wings and fuselages of its planes across the Atlantic in freighters built by a Chinese shipyard in Wuhan, ships powered by methanol and six 35-meter rotating sails that promise to cut emissions by up to 70 percent per trip.
-
Airbus will transport wings and fuselages of its planes across the Atlantic in cargo ships built by a Chinese shipyard in Wuhan, vessels powered by methanol and six 35-meter rotating sails that promise to cut emissions by up to 70 percent per trip.
-
A gas station with fuel made from food waste is in Brazil and transforms 500 tons of waste per month into ethanol, with up to 350 liters per ton processed.
-
Arkansas plans a 50-acre village with up to 400 micro-homes, a clinic, community kitchen, laundry, and income opportunities to help chronically homeless residents regain autonomy.
So far, therefore, there is no independent confirmation that a new leak has occurred within the Federal Revenue. The existence of a database with seemingly true information does not prove, by itself, that this data was taken directly from the agency’s systems.
Announcement promised more than 1 billion organized records
According to information published by TecMundo, the criminal group offered a sample consisting of approximately 100 lines from each of the 24 files presented. The documents would be stored in SQLite format, which allows organizing and searching large volumes of information with relative ease.
Among the supposed tables announced were registrations of individuals and legal entities, addresses, phone numbers, mothers’ names, birth dates, occupations, business activities, partners, and registration statuses. The sellers also claimed to have information related to about 41.6 million CNPJs.
The mentioned number of CPFs does not necessarily mean that 248 million living Brazilians have been affected. A database of this nature may contain records of deceased people, foreigners registered with the CPF, old records, duplications, and information gathered from different sources.
Federal Revenue says there was no invasion of systems
According to the official statement published by the Federal Revenue, the criminal offer would be based on the recirculation of an old database, known to the authorities and disclosed since 2021. The agency reported that the information is mostly from 2019 and would not be related to an incident that occurred in its systems in 2026.
The institution also highlighted that the presence of a CPF in a certain data set does not automatically allow identifying its origin. The number has been used for decades by banks, stores, telephone operators, public agencies, credit analysis companies, and numerous other organizations.
In the assessment presented by the agency, criminals may associate an old base with the Federal Revenue to increase the credibility of the announcement and raise the commercial value of the material. Organized bases, with table names similar to those used by public authorities, can also be assembled with information obtained from different leaks.
The Revenue also stated that it continues to monitor the episode in conjunction with the competent authorities. The note, however, did not detail which technical analyses were carried out to relate the files to the old leak nor informed if all the material offered in the forum has already been examined.
Apparently true samples do not prove the origin
The initial analysis of the samples found CPFs and CNPJs with valid check digits, as well as state, municipality, country codes, legal natures, and economic activities compatible with standards used in Brazil. This coherence increases the possibility that at least part of the information is real.
A mathematically valid CPF, however, does not prove that the record belongs to an existing person nor reveals from which system it was taken. Simple programs can verify or even generate combinations compatible with the formation rules of these documents.
Another important point is that various information attributed to the supposed leak can be obtained in public or semi-public records. Data on companies, partner names, economic activities, business addresses, and registration statuses, for example, appear in different consultation services.
Information such as mother’s name, personal phone, email, residential address, and date of birth increase the severity when they appear linked to the same CPF. Even so, these elements may also have been gathered from previous incidents involving private companies, digital platforms, or public services.
There is also a difference between demonstrating that a base contains true data and proving that it was recently taken from a specific institution. The origin, the date of collection, and the method used by criminals remain without public proof.
Old case affected more than 220 million records
The episode mentioned by the Revenue refers to the major leak revealed at the beginning of 2021. During that period, a database initially attributed to credit analysis companies reportedly gathered information on more than 220 million people, a number that also included records of deceased citizens.
The National Data Protection Authority reported in January of that year that it was conducting a technical investigation and had requested clarifications from companies and bodies such as the Federal Police, Internet Steering Committee, and Institutional Security Office. The complete origin of that database remained surrounded by doubts, despite the wide circulation of the information in criminal environments.
Old data can still be used in new scams
Even if the material announced in June 2026 is a copy or reorganization of old data, the risk for citizens does not disappear. Personal information rarely loses its value completely, especially when it includes CPF, full name, parentage, and date of birth.
Criminals can cross-reference old records with current data found on social networks, messaging apps, and public pages. This process allows for the creation of personalized scams, in which the fraudster knows enough details to gain the victim’s trust.
One of the most common risks is the sending of messages about false tax issues, Income Tax refunds, CPF blocks, or nonexistent charges. By mentioning true information, the scammer tries to convince the taxpayer that they have access to an official system.
In an alert previously released, the Revenue explained that fraudsters even use real name, CPF, and address on pages that mimic the gov.br portal. Legitimate tax issues should be verified directly on e-CAC, without accessing links received via WhatsApp, SMS, social networks, or email.
How to increase protection against CPF fraud
The first precaution is not to panic or pay for services that promise to remove the CPF from clandestine databases. There is no procedure capable of erasing all copies of information that is already circulating illegally on the internet.
It is also not necessary to immediately change the gov.br password just because the CPF may be in a database. Changing it becomes advisable when there are signs of unauthorized access, when the password has been exposed, or when the same combination is used in other services.
According to the guidelines of Digital Government, users who identify suspicious activities should change the password, enable two-step verification, review authorized devices, and register a secure email for account recovery. The platform allows the removal of unknown devices and browsers through the official app.
The citizen can also check the Registrato to verify bank accounts, loans, financing, and Pix keys linked to their name. The BC Protege+ service allows informing financial institutions that the person does not wish to open new accounts at that time, reducing the risk of fraudulent opening with false documents.
Another important tool is the Permission to Participate in CNPJ, available through Redesim. This feature allows preventing the CPF from being included as a partner or responsible for a company without authorization, and it can be temporarily deactivated when the citizen needs to open or join a business.
Confirmation of an incident would require communication to those affected
Brazilian rules determine that a confirmed incident capable of causing significant risk or damage must be communicated to the National Data Protection Agency and the affected holders. The ANPD regulation establishes a general deadline of three business days, unless another legislation specifies a different period.
This obligation depends on the confirmation that a violation occurred and the assessment of the potential damage. A criminal publication without proven origin does not automatically equate to a confirmed incident within the organization pointed out by the sellers.
If new technical analyses find evidence of recent extraction or information not part of the old databases, the scenario may change. For now, the official position is that there was no invasion, leak, or compromise of the Federal Revenue databases.
Be the first to react!