iFood confirmed that 1.2 million users had their data leaked. The hacker on BreachForums claims 43.84 million. The difference is 36 times. And the company didn't notify Brazil's data protection authority because "there is no relevant risk." That's what we need to talk about.
The timeline of the breach
On May 28, 2026, a hacker known as "bacen" posted on BreachForums an offer of 43.84 million records containing CPF, name, email, phone, and card numbers. Negotiation deadline: June 10.
Five days later, on June 3, iFood issued a statement confirming 1.2 million affected users — roughly 2% of their total base. The incident reportedly occurred in December 2025. According to the company, the exposed data was limited to names and CPFs, with no passwords or financial information.
iFood's official statement was blunt: "Isolated incident, December 2025, quickly neutralized. Name and CPF. No passwords, payment methods, or financial records." And it concluded: "The event does not entail relevant risk or harm to data subjects."
That's why they didn't notify ANPD. Or the users.
The 36x discrepancy
1.2 million versus 43.84 million. How do you explain a gap that large? Three scenarios are possible — and none of them are comfortable.
First: the hacker inflated the number to increase the extortion value. This is common practice on BreachForums — pump up the volume to pressure negotiations.
Second: the material combines data from multiple sources. Other breaches, infostealers, public databases. The hacker aggregates records from various origins and attributes everything to a single incident to lend credibility to the offer.
Third: iFood is underreporting. A 36x discrepancy is too large to dismiss without investigation. ANPD will officially request information from the company, and the actual extent of the incident will be a central point of inquiry.
What is certain: 1.2 million records with names and CPFs are in circulation. That alone is serious. And the absence of clarity about the real number is precisely the kind of scenario where ANPD notification should have been made immediately — not weeks later, under public pressure.
Why "name and CPF pose no relevant risk" is a dangerous claim
For international readers: CPF (Cadastro de Pessoas Físicas) is Brazil's national taxpayer ID — functionally equivalent to the US Social Security Number. It's public by design, yet it serves as the key to the entire Brazilian financial system. Every bank account, credit application, and government service requires it.
Saying that name and CPF "don't entail relevant risk" ignores how fraud works in Brazil. With name and CPF in hand, a fraudster can open fraudulent accounts at fintechs and digital banks. They can execute SIM swap attacks to intercept verification SMS and take over banking credentials. They can launch targeted phishing and smishing campaigns using verified data to gain the victim's trust. They can commit identity fraud to contract services and make purchases.
iFood has 60 million users. Many rely on the platform as their primary channel for food ordering and payment. These users entrust their financial data to the app. Claiming that leaking the CPFs of 1.2 million of them poses no relevant risk systematically underestimates the Brazilian fraud landscape.
The severity isn't in the data type alone — it's in the combination and the context. Name and CPF, together, in a country where CPF opens doors across the financial system, represent relevant risk by definition.
The legal obligation that was ignored
ANPD — Brazil's National Data Protection Authority, the equivalent of EU data protection authorities under GDPR — requires communication within 3 business days for incidents that present relevant risk to data subjects. The obligation exists even when there's uncertainty about the incident's extent. In other words: if you don't know exactly how many people were affected, that's more reason to notify — not less.
ANPD has already announced it will officially request information from iFood. The path is the same we've seen in other cases: the authority opens a procedure, requests documentation, and evaluates whether LGPD was violated.
The structural problem goes beyond iFood. When a company unilaterally decides the risk isn't relevant, the law loses its purpose. LGPD exists to guarantee transparency — much like GDPR does in Europe. If data subjects don't know their information is in circulation, they can't protect themselves. And 1.2 million people were left in the dark.
This is the central point: notification isn't just a bureaucratic formality. It's the mechanism that allows data subjects to act — change passwords, monitor accounts, freeze credit. Without notification, the breach is silent. And the damage multiplies precisely because no one was warned.
Context and lessons
This incident isn't isolated in iFood's recent history. In October 2025, two former employees were targeted in a police operation for selling user data to a competitor. The company hasn't detailed the vector behind the December 2025 incident — whether it was compromised internal access, an infrastructure vulnerability, or another vector.
What we learn from cases like this: transparency isn't optional — it's a legal obligation. Risk assessment must consider the real fraud context in Brazil, not a restrictive technical reading. And data governance isn't just having policies on paper — it's having processes that work when the incident happens.
At Tech86, we help companies implement data governance and incident response with transparency as the first priority. Because when the breach happens — and it will — what defines the damage isn't just the incident itself, it's the response.