ADVERTISEMENT

FacePass security lapse exposes users' identification data

FacePass, a Brazil-focused app used for identification purposes, has leaked over 1.6 million files.

Facepass data leak

Image by Cybernews.

Vilius Petkauskas
Vilius Petkauskas Deputy Editor
Mar 26, 2025 Updated: 26 March 2025 2 min read
Niamh Ancell BW Stefanie Marcus Walsh profile chrissw
Stay informed and get our latest stories on Google News
Add us as your Preferred Source on Google.

What FacePass data was leaked?

  • Brazilian national IDs
  • Selfies for ID verification
  • AWS access key ID, other secrets
  • Full names
  • CPF numbers (Brazilian taxpayer registry)
  • Phone numbers
ADVERTISEMENT
“Cybercriminals can pair national ID details with selfies to circumvent biometric verification systems, enabling financial fraud or unauthorized access to sensitive accounts.”
  • Change the access controls to restrict public access and secure the bucket. Update permissions to ensure that only authorized users or services have the necessary access.
  • Monitor retrospectively access logs to assess whether the bucket has been accessed by unauthorized actors.
  • Enable server-side encryption to protect data at rest.
  • Use AWS Key Management Service (KMS) for managing encryption keys securely.
  • Consider implementing security best practices including regular audits, automated security checks, and employee training.

  • Leak discovered: January 30th, 2025
  • Initial disclosure: January 30th, 2025
  • CERT contacted: January 30th, 2025
  • Leak closed: February 19th, 2025
ADVERTISEMENT