Brazilian renewable energy cooperative iGreen Energy (igreenenergy.com.br) is at the center of a critical-severity data exposure after a threat actor liquidated over 5 million records, plain-text utility portal credentials, and backoffice master accounts on a prominent dark web forum. The compromise, surfaced and validated on May 31, 2026, traces back to predictable Amazon S3 bucket URLs and a fundamental failure in cloud storage access controls across the company's AWS estate.
What Happened
On May 31, 2026, an active sale and distribution thread appeared on a major underground cybercrime forum advertising an unencrypted relational database dump tied to iGreen Energy, one of Brazil's largest distributed solar generation platforms and energy cooperative brokers. Rather than pursuing private ransomware extortion, the broker opted for a rapid mass-distribution model, publicly releasing samples and offering the full dataset to multiple buyers. The seller confirmed the data was harvested with minimal technical effort using basic automated enumeration scripts targeting predictable S3 object paths, indicating no exploitation of a software vulnerability was required.
What Was Taken
The exposed corpus spans three high-impact categories. Civilian PII includes more than 5 million unique records containing CPF and CNPJ numbers, RG identity documents, residential and commercial addresses, and KYC document images covering clients, independent energy consultants, and internal administrative staff. Grid infrastructure credentials include plain-text usernames and passwords for regional utility portals such as RGE, CEMIG, and ENEL, used by iGreen to manage solar credit assignments and bill deductions on behalf of customers. Backoffice control assets include corporate administrator and master account credentials granting access to internal consultant tracking frameworks, cloud repositories, and backend financial routing systems.
Why It Matters
Distributed energy resource platforms occupy a privileged position between sovereign utility infrastructure, regional grid operators, and millions of end consumers. A breach at this layer is not a conventional PII leak: the plain-text utility portal passwords give attackers direct authenticated access to third-party power distributor systems, enabling fraudulent credit redirection, payout interception, and potential operational manipulation of customer accounts at RGE, CEMIG, and ENEL. The five million identity records also feed downstream tax fraud, account takeover, and synthetic identity operations across the Brazilian financial system. For Brazil's clean energy economy, the incident demonstrates how a single broker's cloud misconfiguration cascades into a multi-tenant utility supply chain compromise.
The Attack Technique
The threat actor explicitly credited the harvest to predictable S3 URLs, meaning iGreen's AWS buckets used guessable or sequentially structured object keys and lacked enforced authentication, bucket policy restrictions, or object-level access controls. Automated enumeration scripts iterating through likely paths were sufficient to exfiltrate the entire corpus. This pattern, often called bucket walking or path enumeration, requires no credentials, no zero-day, and no insider access. It exploits the assumption that obscurity at the object-key level provides security, when in reality public-readable buckets paired with deterministic naming schemes are trivially scraped at scale.
What Organizations Should Do
- Audit every S3 bucket for public ACLs, anonymous read permissions, and missing bucket policies; enable S3 Block Public Access at the account level and require explicit exceptions.
- Replace predictable object-key naming schemes (sequential IDs, customer numbers, timestamped paths) with high-entropy random identifiers, and treat object keys as non-secret regardless.
- Eliminate plain-text storage of third-party credentials; route all utility portal logins through AWS Secrets Manager, HashiCorp Vault, or equivalent, with short-lived tokens where the upstream provider supports them.
- Enable AWS CloudTrail data events and GuardDuty S3 Protection to detect enumeration patterns, anonymous access, and bulk object retrieval from unexpected source IPs.
- Force immediate rotation of all utility portal passwords, backoffice admin accounts, and internal API keys that touched the exposed buckets, and notify RGE, CEMIG, ENEL, and other affected utilities of the credential compromise.
- Notify Brazil's ANPD under LGPD breach disclosure rules and prepare a downstream notification flow for the five million affected data subjects, including KYC image holders.