iFood confirmed a data breach originating in December 2025 that exposed the personally identifiable information (PII) of approximately 1.2 million users. The attack targeted the Sistema iFood de Resposta às Autoridades (SIRA), a restricted portal designed for judicial and administrative data requests. Threat actors gained access using compromised credentials belonging to an external agency, rather than an internal iFood system failure. The exfiltrated data includes full names, phone numbers, physical addresses, and Cadastro de Pessoas Físicas (CPF) numbers. While authentication credentials and financial instruments remained secure, the exposure of CPFs—the primary identity anchor in Brazil—creates significant risk for high-fidelity identity theft and social engineering.
-
Incident Overview: Data Exfiltration
- Unauthorized access to the SIRA portal resulted in the leak of registration data for 1.2 million users, representing roughly 2% of iFood's customer base.
- Discrepancies exist between corporate disclosures and threat actor claims; an actor on BreachForums alleged the theft of 43.8 million records, a figure iFood strongly denies.
- The breach remained undetected or undisclosed for six months, with the incident occurring in December 2025 and public confirmation arriving in June 2026.
-
Technical Vector: External Credential Compromise
- Attackers leveraged compromised credentials from an external government or judicial body to authenticate into the SIRA restricted portal.
- Technical analysis suggests a "gradual extraction" methodology was used to bypass anomaly detection and avoid triggering security alerts during the data harvest.
- The vulnerability was not a software flaw in the iFood app itself, but a failure in the trust relationship and credential security of an external entity with portal access.
-
Impact Analysis: The CPF Identity Risk
- Compromised fields include full names, addresses, and the CPF (taxpayer ID), which is used across Brazil for banking, shopping, and government services.
- The loss of CPFs enables threat actors to perform "synthetic identity fraud," allowing them to open fraudulent accounts or bypass basic KYC (Know Your Customer) checks.
- Secondary risks include targeted smishing and vishing campaigns leveraging the leaked phone numbers and physical addresses for increased legitimacy.
-
Regulatory Response & LGPD Compliance
- iFood initially declined to send formal notifications to affected users, citing LGPD (Lei Geral de Proteção de Dados) exemptions for incidents deemed "low risk" by the ANPD.
- The Brazilian National Data Protection Authority (ANPD) has since requested detailed explanations regarding the company's risk assessment and notification timeline.
- Internal remediation involved the immediate revocation of the compromised external credentials and the hardening of SIRA portal access controls.
-
Strategic Defensive Outlook
- This incident underscores the risk of "indirect access" via third-party or government portals that possess high-privilege data extraction capabilities.
- Organizations must implement strict rate-limiting and behavioral analytics on all administrative portals to detect slow-and-low data exfiltration.
- The breach demonstrates that the compromise of a single external partner's credentials can lead to a massive PII leak, regardless of the primary organization's internal security posture.
Related posts
- Cybersecurityventures
- The Record by Recorded Future — UN food agency investigates breach exposing data of Gaza aid recipients
- bleepingcomputer.com — UN food agency discloses breach affecting 600,000 Gaza households
- Socdefenders
- Youtube
- Hackread
- Menafn
- Safestate
- Italianinsider
- 7amleh
- Countervortex
- Reliefweb
- bleepingcomputer.com — Coupang hit with record $409 million data breach fine in Korea
- Security Affairs — Iran-Linked Handala Breached a California Water Utility. It Could Have Done Worse, and It Knows That.
- Tnh1
- Www1
- Contabeis
- Youtube
- Isssource
- Scworld
- Bragg
- Vulnu
- Middleeasteye
- Iranintl
- Securitymagazine
- Youtube