iFood Says Hacker Exposed 1.2 Million Brazilians Names and Tax IDs
Brazil · Technology
Key Facts
—The breach: iFood, Brazil’s dominant food-delivery platform, confirmed on June 3 that a hacker exposed the names and tax-ID numbers of about 1.2 million users, roughly 2% of its customer base.
—What leaked: The company says only registration data — full name and the CPF taxpayer number — was affected, with no passwords, payment methods or financial records compromised.
—The timing: iFood says the incident occurred in December 2025 and was contained then; it disclosed publicly only six months later, citing a Brazilian data-law exemption for breaches it judged low-risk.
—The dispute: A dark-web actor claims a far larger trove of 43.8 million records including emails, phones and card data. iFood says it found no evidence supporting that figure.
—The regulator: Brazil’s National Data Protection Authority (ANPD) has asked iFood for explanations and is weighing the incident’s severity.
Latin America’s largest food-delivery company has confirmed a data breach affecting more than a million customers — and is now disputing a hacker’s claim that the true scale is dozens of times larger.
What the iFood data breach exposed
iFood, the food-delivery app that handles roughly 120 million orders a month for some 60 million customers across more than 1,500 Brazilian cities, said in a statement on Wednesday that personal data belonging to about 1.2 million users had been exposed. That figure represents close to 2% of its customer base. According to the company, the leaked information was limited to registration details — users’ full names and their CPF, the individual taxpayer identification number that functions as Brazil’s primary personal identifier. iFood said no passwords, payment methods, financial records or transaction histories were affected, and that it found no evidence of access to banking data.
The company characterised the episode as an isolated incident that took place in December 2025 and was quickly neutralised by its security protocols at the time. It said it operates in compliance with Brazil’s General Data Protection Law, known by its Portuguese acronym LGPD, and reminded customers to treat only the platform’s official channels as legitimate sources of communication about the matter.
A six-month delay and a regulator’s questions
One of the most contested aspects of the disclosure is its timing. The breach dates to December 2025, but iFood made it public only this week — roughly six months later. The company argued that Brazilian law waives the requirement to notify affected individuals when an incident does not create a relevant risk or harm, under the criteria set by the data-protection regulator. That justification is now itself under scrutiny.
The National Data Protection Authority, the ANPD, has requested explanations from iFood and signalled it will assess the incident’s severity, weighing factors such as the type of data exposed, the number of people affected and the potential consequences. The authority noted that even where the extent of harm is uncertain, the data controller — in this case iFood — is obliged to adopt adequate preventive measures. For a company that holds the tax IDs and contact details of tens of millions of Brazilians, the regulatory question is whether the low-risk classification that justified the delayed disclosure will hold.
The disputed 43.8 million-record claim
iFood’s confirmation followed reporting by Brazilian technology outlets and a claim circulating on a dark-web hacking forum. A user of BreachForums, a marketplace where stolen material is bought and sold, asserted last week to hold data on more than 43.8 million Brazilian iFood customers — a set said to include not only names and tax IDs but also emails, phone numbers and credit-card information. A separate cybersecurity monitor warned that, if accurate, such a trove could enable large-scale identity and financial fraud, including mass phishing campaigns using verified contact details. The actor reportedly demanded that iFood make contact by June 10 and pay an unspecified sum.
iFood pushed back firmly on the larger figure. The company said that after repeated analyses it found no evidence that 43 million user records had been leaked, and that the material posted online corresponds to the same isolated December 2025 incident it had already identified and contained. The gap between the company’s account and the criminal’s claim — and whether they describe one breach or two — remains unresolved, and is part of what the regulator will examine.
Why it matters beyond Brazil
iFood is one of Latin America’s most prominent technology champions, a Brazilian platform that has fended off well-funded challengers including a relaunch of China’s Didi-owned 99Food and the regional arrival of Meituan’s Keeta. A breach touching the personal identifiers of more than a million users — and a louder, unverified claim of a far bigger one — lands at a moment when the region’s data-protection regimes are still maturing and enforcement records are thin. For foreign investors watching Brazil’s digital economy, the episode is a test of how aggressively the ANPD will police disclosure obligations, and of how much reputational and regulatory risk sits inside the consumer-data holdings of the platforms that now mediate everyday life across the country.
Frequently Asked Questions
How many iFood users were affected?
iFood confirmed about 1.2 million users, roughly 2% of its base. A dark-web actor claims a much larger 43.8 million records, which iFood says it found no evidence to support.
What data was leaked?
According to iFood, only names and CPF taxpayer numbers. The company says no passwords, payment methods, financial records or banking data were compromised.
When did the breach happen?
iFood says the incident occurred in December 2025 and was contained then. It disclosed the breach publicly only in June 2026, citing a data-law exemption for low-risk incidents.
Is iFood facing regulatory action?
Brazil’s data-protection authority, the ANPD, has asked iFood for explanations and is assessing the incident’s severity, including the delayed disclosure.
Connected Coverage
The breach lands in a fiercely contested market we have tracked as iFood and Uber turn Brazil into a test case for super-app power, with Chinese challengers circling, detailed in Didi’s R$1bn ($190m) bet on Brazilian food delivery.