Brazilian food delivery giant iFood has confirmed a data breach affecting approximately 1.2 million customers, roughly 2% of its user base, stemming from a December 2025 intrusion. The disclosure, made on June 3, 2026, follows weeks of dispute with a threat actor on BreachForums who claims to hold a far larger trove of 43.8 million records.
What Happened
iFood publicly acknowledged the breach on Wednesday, June 3, 2026, describing it as an "isolated" incident originating in December 2025. The confirmation came amid mounting pressure following a May 28, 2026 BreachForums post by a threat actor using the alias "bacen," who claimed to be sitting on 43.8 million stolen customer records and threatened staggered leaks unless a ransom was paid by June 10. iFood publicly rejected the larger figure, asserting it found no evidence to support claims that 43 million users were impacted. The situation was further complicated when a second threat actor identifying as "Harold" told Brazilian outlet TecMundo that the 1.2 million-record exposure iFood admitted to is a separate incident from the one bacen is advertising, suggesting two distinct compromises may be in play.
What Was Taken
According to iFood, the December 2025 incident exposed personally identifiable information including full names, phone numbers, residential addresses, and CPF numbers. The CPF (Cadastro de Pessoas Físicas) is Brazil's equivalent of a U.S. Social Security Number and is required for banking, retail transactions, and identity verification across nearly every consumer-facing service in the country. iFood stated that no passwords, banking credentials, or credit card data were taken in the confirmed breach. With iFood's Android app exceeding 100 million downloads and an equally dominant iOS footprint, even a 2% exposure represents a sizable identity-fraud risk pool. The unverified bacen dataset, if authentic, would expand the impact by an order of magnitude.
Why It Matters
This incident sits at the intersection of three significant pressures for defenders. First, CPF leakage in Brazil fuels a mature underground market for identity-based fraud, including fraudulent credit applications, SIM-swap targeting, and tax-related scams. Second, the discrepancy between the company's confirmed figure and the threat actor's claim of 43.8 million records illustrates a recurring incident-response challenge: defenders and the public are forced to weigh corporate disclosures against extortion claims with limited independent verification. Third, iFood elected not to notify affected users directly, citing Brazilian Data Protection Authority (ANPD) guidance that formal notification is not required when an incident does not pose a "real danger or harm." That decision is already drawing scrutiny under the LGPD framework and may shape how regulators interpret breach-notification thresholds going forward.
The Attack Technique
iFood has not publicly disclosed the initial access vector, attack chain, or persistence mechanisms associated with the December 2025 intrusion. The company has characterized the event as an isolated security issue but has not released technical indicators of compromise, malware samples, or affected system details. The threat actor bacen's BreachForums post follows the established double-extortion playbook: staged data leaks combined with escalating ransom demands and a hard deadline (June 10) to pressure the victim. The possibility raised by the "Harold" actor that two separate compromises exist suggests iFood's underlying environment, or the supply chain feeding it, may have been targeted more than once, though this remains uncorroborated.
What Organizations Should Do
- Brazilian consumers and businesses processing CPF data should monitor for downstream fraud campaigns, including phishing lures referencing iFood orders, fraudulent KYC submissions, and SIM-swap attempts targeting the affected phone numbers.
- Financial institutions and fintechs operating in Brazil should tune fraud-detection models to weight CPF-plus-address-plus-phone combinations sourced after December 2025 as potentially compromised.
- Enterprise security teams should treat employee CPFs as plausibly leaked when designing identity-verification workflows and avoid using CPF alone as an authentication factor.
- Incident response leaders should review their own disclosure playbooks against LGPD and ANPD guidance, particularly around the "real harm" threshold that iFood invoked to avoid direct user notification.
- Threat intelligence teams should monitor BreachForums and Brazilian-language Telegram channels for sample drops attributed to bacen or Harold to validate which dataset (1.2M or 43.8M) ultimately surfaces publicly.
- Application owners with large Brazilian user bases should accelerate dark-web monitoring for credential and PII corpora referencing their platforms, given the active extortion-stage timeline running through June 10.
Sources: iFood Confirms Data Breach Affecting 1.2 Million Users in Brazil