A hacker claims to hold data on more Brazilians than actually exist. Is it the largest leak ever recorded? Or just old data doing the rounds once again?
A threat actor posting on a well-known hacking forum claims to have exfiltrated 1.8 terabytes of sensitive data, allegedly affecting a staggering 223 million Brazilian citizens.
The post came up on April 8th, and the alleged leak is linked to Serasa Experian. The company, a subsidiary of the global giant Experian, is the backbone of credit risk and fraud prevention in Brazil.
Experian is one of the big three credit bureaus globally, alongside Equifax and TransUnion, that provide credit intelligence. Experian has reportedly boasted annual revenue of $7.5 billion globally.
What data has been allegedly stolen from Brazil’s Experian?
- CPF (Cadastro de Pessoas Físicas) numbers – an 11-digit number that acts as a unique taxpayer ID similar to a Social Security Number.
- Job titles in the form of a six-digit CBO (Classificação Brasileira de Ocupações) code, defining professional roles.
- Full names
- Dates of birth
- Gender
- Emails
- Phone numbers
“With a target’s CPF, occupation, and phone number, a criminal can convincingly impersonate bank officials or government agents to drain accounts,” commented Cybernews researchers about the potential impact of leaking such data points.
Is the entire population of Brazil affected?
It’s impossible to independently verify the scope of the alleged data leak, as the threat actor uploaded a sample .csv file that contains only 5000 records.
However, the claimed numbers here are absolutely staggering. To put the 223 million figure into perspective: Brazil’s actual population is roughly 213.5 million.
Mathematically, the leak is larger than the country itself. This leaves us with two possibilities. Either the hacker is inflating the numbers, or the dataset includes the data of the deceased alongside that of every living person in the nation.
Is Serasa a repeated target, or are hackers just resurfacing old data?
But now, let’s think about whether it's really feasible. This is not the first time the company has been linked to a massive data leak. In early 2021, a similar leak was linked to the company.
The leaked dataset was posted on a dark web forum, including CPFs, facial images, addresses, phone numbers, email addresses, credit scores, and salary data of the entire population.
The cyber incident is now the subject of a lawsuit, with a group action filed in the English High Court in January 2026. The new data leak claims might suggest either a fresh breach or the recycling of older data.
However, there are some indications that the threat actor might be resurfacing old data. Cybernews researchers reviewed older posts about the Serasa Experian leaks and determined that the dataset may be the same as the one in the latest claims.
While the threat actor claims the breach occurred around August 2022, the actual data in the sample tells a different story: nothing in the files is dated later than 2020.
"Even though there were only 5,000 lines out of a supposed 220 million, there was no major news of a Serasa breach in 2022," Cybernews researchers noted.
On DarkForum, several posts claim to sell the Serasa database – they skip 2021 entirely, with the oldest active threads starting in 2023. Most of those download links have already gone dead, and the data format looks suspiciously identical to previous leaks.
“This happens quite often. When one post with said database gets taken down, it often reappears somewhere else later. This threat actor probably wanted to gain more traction for their post by marketing it as a supposedly new breach, when it probably wasn't,” our researchers explained.
Cybernews has reached out to Serasa Experian for comment, but has not received a response at the time of publishing.
Not the first massive data leak affecting an entire country
Cybernews’s in-house research has previously shown that another massive data leak affected Brazil. Cybernews researchers discovered a publicly accessible Elasticsearch instance containing 223 million records of CPF numbers for Brazilian citizens.
The massive scale of the leak amplified the potential impact. Previously, Cybernews reported on massive leaked datasets allegedly belonging to governmental entities being sold online.
In 2024, threat actors listed 23 terabytes of data on one billion Chinese nationals and several billion case records from the Shanghai police. Personal data from 105 million Indonesian citizens, including ID card numbers, full names, dates of birth, and other personally identifiable information (PII), was also leaked and offered for sale online.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked