iFood Confirms Data Breach Affecting 1.2 Million Brazilian Users Brazilian food delivery app iFood has acknowledged a data breach that exposed sensitive information of approximately 1.2 million users roughly 2% of its customer base. The incident, which occurred in December 2025, was disclosed by the company on June 3, 2026, following unauthorized access to user data. The breach compromised names, phone numbers, addresses, and CPF numbers Brazil’s critical taxpayer identification documents used in financial and legal transactions. iFood confirmed that passwords, bank details, and credit card information remained unaffected. The company dismissed earlier claims by hackers on BreachForums, who alleged the theft of 43.8 million records, stating no evidence supports such a large-scale impact. However, some threat actors suggest the admitted breach may be an older, separate incident, leaving the possibility of a more recent, larger leak unresolved. Under Brazil’s LGPD (General Data Protection Law), iFood determined the breach did not meet the threshold for mandatory user notifications, as the National Data Protection Authority (ANPD) exempts incidents deemed low-risk. Despite this, the exposure of CPF numbers raises concerns over potential identity fraud. iFood has advised users to rely only on official app communications for security updates.

iFood Data Breach Exposes 1.2 Million Brazilian Users’ Personal Information Brazilian food delivery giant iFood confirmed a data breach in December 2025, affecting 1.2 million users approximately 2% of its customer base. The company disclosed the incident on June 3, 2026, revealing that hackers accessed names, phone numbers, addresses, and CPF numbers (Brazil’s taxpayer identification equivalent to U.S. Social Security Numbers). While sensitive financial data, including passwords and credit card details, remained secure, the exposed CPF numbers pose a significant risk for identity fraud. The breach’s scale became a point of contention after a hacker, operating under the alias bacen, claimed on May 28, 2026, to have stolen 43.8 million records far exceeding iFood’s official figure. The hacker threatened to leak the data in stages unless a ransom was paid by June 10. iFood dismissed the claim, stating no evidence supported the larger breach. However, another hacker, Harold, told Brazilian tech outlet TecMundo that the 1.2 million records acknowledged by iFood were from a separate December incident, suggesting the larger theft may still be valid. The incident has drawn scrutiny under Brazil’s Lei Geral de Proteção de Dados (LGPD), the country’s data protection law. iFood opted not to notify affected users directly, citing ANPD (Brazil’s data protection authority) guidelines that exempt companies from mandatory disclosure if the breach poses no "relevant risk or damage." Despite this, the exposure of CPF numbers critical for banking, shopping, and identity verification heightens concerns over potential fraud. With over 100 million downloads on Android alone, iFood remains one of Brazil’s most widely used apps. The company stated its security systems contained the breach swiftly and advised users to rely only on official app communications. The conflicting claims and legal implications continue to unfold as authorities and cybersecurity experts assess the full impact.