No Comments

We investigate! Everything you wanted to know about the 220 million CPF leak


Over the past week, several national and foreign media outlets reported what was supposed to be the biggest data leak in Brazil’s history – a cybercriminal would have put his hands on a base containing no less than 220 million social security numbers, 40 million CNPJs and detailed information about 140 million vehicles registered with the state traffic agencies.

The initial alert was issued by dfndr lab, PSafe’s research laboratory; subsequently, websites and blogs specialized in technology revealed that the impact of the incident would be much greater than that initially disclosed by the company, since the collection would also include details of individuals such as income, address, profession, possible debts with credit protection agencies and even photographs.

But, after all, what really happened? THE The Hack, as usual, he preferred not to comment immediately and prepare content only after certain facts had been verified. We have been investigating the incident since the night of the Friday before (that is, January 22) and, after a long investigation, we can confirm that we are facing a really catastrophic and worrying leak.

Ok, let’s go to the beginning

The initial alert issued by the dfndr lab did not mention this fact, but the leak in question was identified on RaidForum, a forum hosted on the surface web aimed at buying and selling stolen databases (as well as other specific articles for the practice of cybercrime, including exploits, tutorials, etc.). On January 14, a user identified only as JustBR made available, free of charge, a base of 223 million CPFs.

The collection – which has no less than 14 GB when unzipped – has only the document number, the citizen’s full name, gender and date of birth. According to the forum user, the compilation was made in August 2019 and “it is not part of any other known compilation, being offered exclusively by JustBR”. Such a basis, however, is only a small sample of what the criminal can do.

In another topic published three days earlier, JustBR announced, commercially, a complete data collection service theoretically from Serasa Experian, the most famous credit bureau in Brazil. The scammer made available a file with examples of data that he would be able to collect – both from individuals and from legal entities -, warning, however, that the minimum order would be US $ 500.

The announcement came with another sample, which The Hack was pleased to gain access to. The amount of personal information that JustBR says it is capable of collecting (and attests to this capacity with the analyzed sample) is impressive, being able to be divided into 37 different categories, properly organized in directories within the sample base.

We have CPF, RG, full name, gender, date of birth, name of parents, marital status, year of data update, email, address, occupation, telephones, education, marital status, social class, salary, other income, information on benefits (Bolsa Família, FGTS, INSS), income tax returns (IRPF), PIS, NIS, CNS, purchasing power, credit score and more.

The most interesting is that one of the directories in the sample analyzed is called “Mosaic”, the name of the Serasa Experian solution that segments the Brazilian population into 11 groups and 40 different segments. In a CSV file, we found several targets such as “Urban Experiences of Comfortable Living”, “Middle Age Employees of the Big Cities”, “In the Heart of the Periphery”, “Mass of Urban Workers” and “Piece of Land”.

In addition, we find PDF documents with all the official communication material on Serasa’s solutions for legal entities. These PDFs include legitimate guides that help you understand credit score calculation, Mosaic segmentation and Affinity Models (ie consumption profiles on and off the internet for each member of each segment).

What about legal entities?

In the scope of CNPJs, we do not have such a wide range of information – even so, the amount of data is also impressive. In addition to the registration number, we have access to the telephone, legal representative, contact email, address, CNAE, share capital, class of operation, credit score, bad checks and even tax information about Simples Nacional.

What does Serasa Experian say?

Sought by The Hack, Serasa Experian said it continues to investigate the case, but ensures that, so far, there is no evidence that the base has been exfiltrated from its systems. Check out the company’s positioning in full:

“There has been news in the media that a hacker is illegally offering data about Brazilian citizens on the web. Although the hacker claims that part of the data came from Serasa, based on our detailed analysis to this point, we conclude that Serasa is not the source. We also see no evidence that our systems have been compromised.

We have carried out an in-depth investigation that indicates that there is no correspondence between the fields of the folders available on the web with the fields of our systems where Score Serasa is loaded, nor with Mosaic. In addition, the data we saw includes elements that we don’t even have in our systems and the data that they claim to be attributed to Serasa does not match the data in our files.

We conclude that this is an unfounded claim.

We continue to actively monitor the situation and contact the regulators to assist them with any questions they may have regarding this matter. We have a strong commitment to protecting the privacy of the personal data we process and believe that we have the necessary security systems in place for that. ”

The authorities speak out

One of the first entities to comment on the leak was the São Paulo Consumer Protection and Defense Foundation (Procon-SP). In a note sent to The Hack, the agency confirmed that it had sent a notification to Serasa Experian for the bureau to explain the incident – as well as possible actions to contain the dissemination of data displayed on the web.

(Reproduction: São Paulo State Government)

“We will wait for the company’s response to analyze and evaluate the compatible penalties. The penalties provided for in the LGPD, which can reach up to 50 million, may be applied as of August, but Procon-SP can fine according to the Consumer Protection Code (CDC) ”, commented the executive director of Procon-SP , Fernando Capez. Serasa would have to respond until this last Saturday (30).

In addition, on Wednesday (27), The Hack newsroom contacted the director of the National Data Protection Authority (ANPD), Arthur Pereira Sabbat, about the agency’s position on the matter. Sabbat initially responded by saying that the authority still had nothing to share about the incident; later, however, the ANPD said it was already investigating the case to discover the source of the leak, the way it occurred, containment measures and possible consequences of the breach.

The passivity of the ANPD encouraged the Brazilian Bar Association (OAB) to send a letter on Thursday (28) asking for urgency in the investigation. “The incident subjects practically the entire Brazilian population to a scenario of serious personal risk and irreparable violation of privacy and needs to be thoroughly investigated by the competent authorities, in particular by this agency”, highlights the letter.

The National Consumer Secretariat (Senacon) has also launched an investigation to investigate the incident.

All care is little

According to a G1 report, it is possible that criminals are already using the leaked data to deliver scams, including illegal withdrawals of FGTS balances through the Caixa Tem application. The Hack advises caution on the part of the entire Brazilian population while the incident is being investigated by the authorities; frequently check your balance of labor and social benefits and double your care with phishing scams.

See the original post at:

You might also like

More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.