iFood Confirms Data Breach Affecting 1.2 Million Users in Brazil

Brazilian food delivery app iFood has confirmed becoming the victim of a data breach in December 2025 that affected 1.2 million users (which makes up about 2% of its customer base). According to the iFood announcement on Wednesday, June 3, the incident was an isolated issue where hackers took names, phone numbers, addresses, and CPF numbers.

Like Social Security Numbers (SSN) in the United States, CPFs are Brazilian taxpayer identity documents used everywhere for everyday tasks like opening bank accounts, shopping, and verifying identity. Fortunately, iFood clarified that hackers did not get passwords, bank details, or credit card records.

Data breach details and Hacker’s post on BreachForums (Credit: Hackread.com)

For context, iFood’s Android app has more than 100 million downloads, while its iOS app is also extremely popular in Brazil.

iFood’s confirmation follows a disagreement over the attack’s size when, on May 28, 2026, a hacker using the alias bacen posted claims of stealing around 43.8 million customer records from the app. The hacker’s post on BreachForums came with a threat to leak the data in stages and increase the price unless iFood paid a ransom by June 10.

However, iFood strongly denied these massive numbers. The company said it found no proof that 43 million people were affected. Yet, the story took another turn. According to Brazilian news site TecMundo’s report, hackers are rejecting the official story from iFood. A hacker named Harold told TecMundo that the 1.2 million leak iFood admitted to is an entirely separate security issue from December, and their larger, more recent theft might still be real.

This situation is causing people to look closely at Brazil’s data protection law, known as LGPD. This law sets the rules for how companies should handle private data. iFood chose not to send formal alerts to the affected users. The company explained that under the rules of Brazil’s data protection authority, the ANPD, companies don’t need to notify users if an incident doesn’t create a real danger or harm to them.

“The incident was handled and assessed in strict compliance with the law, which waives reporting and communication when the event does not create relevant risk or damage to data holders, according to regulatory criteria defined by the ANPD,” the company’s statement reads.

Still, it is a concerning situation because CPF numbers are highly valuable to scammers who want to commit identity fraud. iFood said its safety systems stopped the issue quickly and urged customers to only trust messages sent through its official app.