Entire population of Brazil possibly exposed in massive data leak


The private data of hundreds of millions of Brazilians were publicly accessible to threat actors, putting individuals at risk.

Cybernews research revealed a publicly accessible Elasticsearch instance, which contained a staggering amount of private data belonging to Brazilian individuals.

Elasticsearch is a commonly used tool for the search, analysis, and visualization of large volumes of data. The leaked data was not linked to a specific company or organization, preventing Cybernews from identifying the source of the leak.

ADVERTISEMENT
CPF Brazil data leak
Total count of leaked records. Image by Cybernews

The cluster, located on a cloud server, contained the data with full names, dates of birth, sex, and Cadastro de Pessoas Físicas (CPF) numbers. This 11-digit number identifies individual taxpayers in Brazil.

The leaked data contained more than 223 million records, which implies that the entire Brazilian population might be affected by the leak.

CPF Brazil data leak
Leaked private data. Image by Cybernews

While the data is no longer publicly available, in the hands of a malicious actor, the exposed data could have been misused for identity theft, fraud, and targeted cybercrimes. This could have resulted in financial losses, unauthorized access to personal accounts, and other severe consequences for the individuals affected.

The massive scale of the leak amplifies the potential impact. Previously, Cybernews reported massive leaked data sets allegedly belonging to governmental entities being sold online.

Earlier this year, threat actors listed 23 terabytes of data on one billion Chinese nationals and several billion case records from the Shanghai police. Personal data from 105 million Indonesian citizens, including ID card numbers, full names, dates of birth, and other personally identifiable information (PII), has also been leaked and offered for sale online.

ADVERTISEMENT