iFood Data Breach: 1.2 Million Customer Records Exposed in Brazil
data-breach security brazil ifood news
trending_up Trend: data-breach

iFood Data Breach: 1.2 Million Customer Records Exposed in Brazil

calendar_month June 5, 2026

Summary

iFood, Brazil’s leading food delivery platform, has confirmed a data breach affecting the personal information of approximately 1.2 million customers (about 2% of its user base). While hackers claim to have stolen over 43 million records, the company maintains the 1.2 million figure and states the incident occurred back in December 2025.

What happened?

On June 3, 2026, iFood officially confirmed a security breach after hackers on BreachForums threatened to leak massive amounts of data. Exposed information includes names, phone numbers, email addresses, and CPF numbers (Brazilian taxpayer IDs). iFood emphasizes that passwords and payment information remain secure. However, the discrepancy between iFood’s confirmed 1.2 million and the hackers’ claimed 43.8 million records has caused significant uncertainty.

Why it matters

The incident highlights the vulnerability of large consumer platforms in emerging markets. The theft of CPF numbers is particularly critical, as they are frequently exploited in Brazil for identity theft and financial fraud. Furthermore, iFood is facing criticism for choosing not to notify affected users individually, arguing that there was no “relevant risk or damage” under Brazil’s General Data Protection Law (LGPD).

Evidence

iFood’s confirmation followed threats from a hacker alias “bacen” on BreachForums, who demanded a ransom. Security researchers have analyzed sample data, partially confirming the authenticity of the leaked information.

Analysis

The delay between the actual incident (December 2025) and the public announcement (June 2026) raises questions about iFood’s transparency and internal security audits. The decision not to warn users individually could damage brand trust in the long run, even if LGPD legal requirements are technically met. There is also suspicion that the confirmed 1.2 million records are either just the tip of the iceberg or part of a separate, older incident.

Practical Takeaways

  • For Users: Be wary of phishing emails or SMS containing personal details (like CPF). Use only the official iFood app for communications.
  • For Companies: Data protection is not just a legal obligation but a foundation of trust. Proactive communication in a crisis is often better than reactive damage control.

Open Questions

  • Is the 43.8 million figure truly fabricated, or is iFood downplaying the actual scale?
  • Will Brazilian regulators (ANPD) agree with iFood’s assessment of “low risk,” or will they impose sanctions?

Sources

  1. iFood Confirms Data Breach (Brazil Stock Guide)
  2. iFood Data Leak: Hackers Claim 44M Records (Hackread)
  3. iFood confirms breach of 1.2M records (SC World)