Portuguese 
English 
Spanish 
5 min of reading 
0 comments 
iFood confirmation about data leak reignites alert among customers, while the suspicion of a much larger database remains without independent verification and increases attention on CPF, phone, address, and fraud attempts with exposed personal data.
iFood confirmed that a data leak affected about 1.2 million users, a number equivalent to approximately 2% of its customer base, after samples attributed to criminals circulated in online forums.
According to the company, the incident involved registration data, such as name and CPF, without compromising passwords, payment methods, or financial records.
The confirmation came after an investigation by TecMundo, which received files presented as evidence of the incident and forwarded the material to the platform.
-
End of the drought: revolution in the Atlantic is changing the way of drinking water with a plant that captures water under the ocean and produces up to 100 million liters per day using 340-meter underwater tunnels; Senegal inspires projects in Brazil and other countries.
-
Xiaomi launches 20,000 mAh power bank with integrated USB-C cable, 74Wh approved for air travel, 22.5W fast charging, and support for three devices simultaneously for 149 yuan in China.
-
Wig-wearing robot ‘loses patience’ and kicks child in the stomach during presentation; watch the video
-
A spin-off company from a British university develops a new pioneering method to produce green hydrogen from seawater. Generating two kilograms of hydrogen through electrolysis requires more than eight gallons of fresh water, which poses a serious strain on its availability.
The case gained momentum after a user identified as “bacen” claimed, on May 28, 2026, to have access to data of 43.8 million customers of the app, a number that has not been independently verified so far.
According to iFood, the analyzed material was linked to an internal incident that occurred in December 2025, classified by the company as isolated and quickly neutralized by its security protocols.
In a statement released to the press, the company stated that it found no evidence that 43 million records had been exposed.
The situation, however, still raises concern because the samples attributed to the leak include enough information to facilitate fraud attempts, such as full name, CPF, phone, and address.
Although these data are not financial, they can be used in social engineering scams, especially when combined with information already available in other leaks.
iFood confirms customer data leak
The company maintains that the confirmed episode affected only a fraction of the customer base and did not involve passwords, cards, bank data, or financial transaction records conducted on the platform.
iFood also reported that it followed the procedures provided in Brazilian data protection legislation.
The National Data Protection Authority, according to Folha de S.Paulo, notified iFood to provide the necessary information about the case.
The role of the ANPD is relevant because the General Data Protection Law provides for duties of communication, risk mitigation, and adoption of security measures in incidents involving personal data.
The official position contrasts with the version attributed to threat agents, who claim it is a broader and more recent leak.
So far, however, there is no independent public proof that the database cited by the criminals, with tens of millions of records, exists in the alleged dimension.
Analyzed files point to possible flaw in support system
According to the investigation published by TecMundo, the files sent to the newsroom had a standardized structure and indicated possible unauthorized access to a support system related to iFood.
The analyzed documents included records of administrative users and information linked to public agencies, which reinforced the need for technical verification of the material.
One of the criminals, identified as Harold Baker, stated that the exploited flaw would be of the IDOR type, an acronym for Insecure Direct Object Reference.
This type of vulnerability occurs when a system allows access to information without correctly verifying whether the user is authorized to view that content.
In practice, such a flaw can allow an authenticated person to access third-party data by manipulating internal identifiers if the system does not adequately validate permission.
The description presented by the criminals, however, does not by itself confirm the extent of the incident nor replace a complete technical investigation.
According to the account attributed to the threat agent, the exploitation would have occurred for about three months and originated from access to a compromised account linked to a police authority.
This claim has not been independently publicly proven, and TecMundo itself reported that it did not receive sufficient evidence to confirm all the numbers cited by the criminals.
CPF, phone, and address increase risk of scams
Registration data does not have the same legal classification as sensitive data, but still represents a significant risk to holders when exposed together.
Under the LGPD, personal data is any information related to an identified or identifiable natural person, while sensitive data involves racial or ethnic origin, religious beliefs, political opinions, health, sexual life, genetics, or biometrics.
In the case attributed to iFood, the information described so far is classified as personal data, not sensitive data.
Even so, full name, CPF, phone number, and address can allow for more convincing false approaches, especially in calls, messages through apps, or fraudulent registration update attempts.
A scammer with access to this data can impersonate a company employee, cite real information to gain trust, and try to obtain codes, passwords, or other details that did not appear in the leak.
Therefore, the absence of financial data does not eliminate the risk for affected users.
The exposure can also facilitate cross-referencing with old databases already leaked in other incidents.
When information from different sources is combined, criminals can create more complete profiles of the victims, which increases the chance of targeted scams and makes it harder to immediately identify the source of the problem.
Suspicion of 43.8 million registrations remains unproven
The main discrepancy in the case is the size of the exposure.
iFood acknowledges about 1.2 million affected users, while the criminals claim the volume could reach 43.8 million registrations.
The difference is significant and, so far, there is no public evidence confirming the larger number.
TecMundo reported that the first samples released were small and did not have enough metadata to indicate the date of the leak or measure its extent.
Later, new files sent to the newsroom presented a more consistent structure, but still did not allow for independent verification of the total number of affected users.
In the initial publication, the user “bacen” would have set June 10, 2026, as the deadline for negotiations with iFood.
This type of deadline is common in digital extortion attempts, where criminals pressure companies to pay to prevent the disclosure or sale of illegally obtained data.
Until the last public update located, there was no confirmation of an agreement between the parties nor a disclosed ransom amount.
There was also no proof that a complete database with 43.8 million users had been fully published, beyond the samples mentioned in the reports on the case.
For customers, the practical recommendation is to be wary of contacts that cite personal data to request passwords, codes sent by SMS, bank confirmations, or urgent registration updates.
Legitimate companies should not request this type of information by phone or message without secure authentication.
The case is under investigation and depends on new technical elements to clarify whether there was only the incident acknowledged by the company or if there is a second database, as claimed by the criminals.
For now, the confirmed data is the leak of approximately 1.2 million users, while the suspicion involving 43.8 million registrations remains without independent verification.
Be the first to react!