Leonard Manson reports:
On Tuesday morning (19), the dfndr lab, PSafe’s cybersecurity laboratory, reported a huge leak in a Brazilian database that may have exposed the CPF number and other confidential information of millions of people.
According to the experts, who use artificial intelligence techniques to identify malicious links and fake news, the leaked data contains detailed information on 104 million vehicles and about 40 million companies, potentially vulnerable to 220 million people.
The information contained in the compromised database includes the name, date of birth and CPF of almost all Brazilians, including authorities.
Read more on Somag.
This is a bit of a “hold my beer” moment for researchers who have quietly been finding and muttering over massive databases with Brazilians’ personal and medical information for more than a year now. Many leaked databases are now in the hands of individuals or firms who have not publicized their finds but have amassed detailed information on Brazilian citizenry. When DataBreaches.net asked one Brazilian security researcher last year whether citizens would be concerned to know about leaks involving their CPF (which is their national taxpayer registration number), the researcher’s answer was basically, “No, we have bigger problems than that to worry about.”
Is it confirmed by another source?
Tecnoblog.net started to investigate it. Serasa Experian told them that they do not think the data came from Serasa Experian. That said, the data do appear to be valid/real data from somewhere. Some of the data in there matches data from other leaks (like national registration number, etc).
I have a data protection service called Kzarka.com, and it reported to me that this data DID NOT come from Serasa. It came from a data provider that provides services for Serasa but has a completely different approach. They are a third party service.
Kzarka’s didn’t recommend me to change my passwords on affected websites. Instead, tey are working to remove their clients data from the original deep web source file, on AtlanticMarket.
The data are already on a lot of people’s hard drives and are still being given away freely on clearnet web sites/forums. Getting the data removed from the original leak site is nice, but doesn’t really solve the problems. But thank you for the update. Much appreciated!
And what is the name of the data provider?
Even though it didn’t directly come from them, they are going to be held accountable for the data breach by both public authorities and the general public – to date, national consumer protection service (Senacon) already issued a request for investigation and for impact assessment. They have 15 days to answer
Anyway, damage is already done for both Serasa and the consumers – now the only thing Serasa can do is try to exonerate themselves to not be fined.
AtlanticMarket?? Sorry
Yeah, I wondered about that, too. Never heard of any such market.
and where is the link that I ran all over the internet and didn’t find?
My policy is not to link to data dumps. That would be a bit inconsistent with efforts to protect data. 🙂
where it locate to check if it true?
Felipe Ventura of tecnoblog.net checked a few people and found valid/real data for them.
Seems the data leak comes from insiding on ANPD who started to build a centralized national database on 2018.
Why do you think it’s them? Is there anything specific in the data or formatting/fields to support your guess?