Church app developer exposes data of nearly a million Brazilians

inChurch, a Brazilian software company providing services to 5000 churches across Brazil and 45,000 worldwide, has leaked a tremendous amount of sensitive user data.

Recently, the Cybernews research team discovered an open Google Cloud Storage bucket belonging to inChurch, a Brazilian software development company focusing on apps, websites, and IT systems for churches.

Cybernews research shows that the Rio de Janeiro-based company failed to properly set authentication to the storage bucket, which resulted in 9.2 million files being leaked.

inchurch unique records
Number of unique records leaked

The bucket stored an old database backup in SQL format, .exe files for software named “inChurch kids printer,” and numerous Microsoft Excel files (.XLSX).

Most of the leaked Excel files contained potentially sensitive personal data of 932,000 members of churches, mainly across Brazil, but the team was not able to independently validate the dataset due to white-hat cybersecurity practices.

The leaked data includes:

  • Full names
  • Email addresses
  • Home addresses
  • Dates of Birth
  • Social security numbers
  • Marital status
  • Occupation
  • Education
  • Nationality
  • Baptism date, type of baptism, and church attended

Believers are at risk

Leaking such a massive amount of personal data is a cause of concern, as cybercriminals could exploit it in various ways. According to the researchers, cybercriminals could use the exposed email accounts and phone numbers for targeted phishing attacks. For example, they could send deceptive emails to affected individuals, which appear to be from inChurch. This increases the risk of further security breaches.

By using social engineering tactics with the leaked data, attackers might manipulate victims into revealing more personal information or taking actions that compromise their security.

Identity theft is also a significant risk, as threat actors might use the leaked data to gain unauthorized access to churchgoers' accounts, as many services verify users' identities using personal information, such as home addresses.

Additionally, there is the risk of doxxing, which involves the unauthorized exposure of personal information. This is a serious threat because cybercriminals, known as "doxxers," search the internet for material they can exploit for financial or personal gain.

.XLSX file

The company’s response

After the Cybernews team contacted the company, access to the instance was secured.

“We prioritize the highest standards of information security and data protection. For that reason, our infrastructure was fully configured by a Google Cloud Partner with ISO27001 certification, recommended by Google,” Rafael Reis, CTO at inChurch, told Cybernews.

“Following our Privacy Management Program, we update our settings whenever necessary to ensure compliance with the best security practices. Investigations into the reported settings have found no evidence of malicious exfiltration of sensitive data,” he added.

South America impacted by data leaks

This is not the first time that the sensitive personal data of individuals in South America has been leaked.

In January, Cybernews discovered another massive data leak of CPF (Cadastro de Pessoas Físicas) numbers, identifying individual taxpayers in Brazil. With hundreds of millions of CPF exposed, the leak might have affected the entire population of Brazil.

And earlier in May, Cybernews research revealed that mobile operator WOM leaked over a million files exposing clients’ RUT (Rol Único Tributario) numbers. The RUT number is a primary identifier of entities and individuals for administrative and tax purposes in Chile.