1.2 million people whose identities are now in circulation somewhere
Em dezembro de 2025, uma das maiores plataformas de delivery do Brasil viu os dados pessoais de 1,2 milhão de usuários expostos — nomes e CPFs, documentos que, nas mãos erradas, podem abrir portas para fraudes e endividamentos. O iFood confirmou o incidente apenas meses depois, afirmando conformidade com a LGPD e ausência de dados financeiros comprometidos. O episódio coloca em relevo uma tensão permanente da era digital: a concentração de informações sensíveis em sistemas centralizados e a responsabilidade das empresas que as guardam.
- 1,2 milhão de usuários tiveram nomes e CPFs expostos — dados suficientes para abrir crédito ou cometer fraude de identidade no Brasil.
- O iFood demorou cerca de seis meses para tornar o incidente público, sem explicar diretamente esse intervalo entre a ocorrência e a divulgação.
- A empresa rejeitou rumores de um vazamento de 43 milhões de registros, afirmando que análises internas confirmaram tratar-se apenas do episódio de dezembro, já contido.
- Senhas, métodos de pagamento e dados financeiros não foram comprometidos, segundo a investigação da própria companhia — distinção central na narrativa de controle de danos.
- Reguladores e usuários afetados devem avaliar se as medidas de segurança adotadas e o prazo de divulgação estão em conformidade com as exigências da LGPD.
O iFood confirmou na quarta-feira que um vazamento de dados ocorrido em dezembro de 2025 expôs informações pessoais de aproximadamente 1,2 milhão de usuários — cerca de 2% de sua base total de clientes. A empresa afirmou que o incidente foi rapidamente contido por seus sistemas de segurança e que os dados expostos se limitaram a nomes e números de CPF.
Apesar do tom controlado do comunicado, a exposição de CPFs é motivo de preocupação real: no Brasil, a combinação de nome e CPF pode ser suficiente para abertura de linhas de crédito ou prática de fraudes de identidade. O iFood fez questão de destacar que senhas, formas de pagamento e registros financeiros não foram acessados.
A empresa também rebateu versões que circulavam online sugerindo um vazamento de 43 milhões de registros, afirmando que análises sucessivas indicaram tratar-se apenas do episódio de dezembro, já neutralizado. No entanto, o comunicado não esclareceu por que o incidente só foi divulgado publicamente quase seis meses após sua ocorrência — uma lacuna que pode ter implicações legais sob a LGPD.
O caso chega em um momento de escrutínio crescente sobre práticas de segurança de dados em empresas de tecnologia brasileiras. O iFood, que armazena endereços, preferências e hábitos de consumo de milhões de pessoas, terá de demonstrar que suas medidas de proteção eram adequadas e que o prazo de notificação cumpriu as obrigações legais. Se o episódio resultará em mudanças estruturais na plataforma ou será absorvido como mais um incidente na crescente lista de vazamentos no setor, ainda está por ser visto.
iFood confirmed on Wednesday that a data breach had exposed the personal information of roughly 1.2 million of its users, an incident the company says occurred in December 2025 and was contained swiftly by its security systems. The breach represents about 2 percent of the platform's total customer base—a significant number, though the company moved quickly to characterize it as isolated and controlled.
The exposed data included names and CPF numbers, the Brazilian tax identification document that serves as a de facto national ID. For many users in Brazil, the combination of these two pieces of information is enough to open credit lines or commit identity fraud, making the exposure a genuine concern despite iFood's reassurances. The company stated that access credentials—passwords—were not compromised, nor were payment methods or financial transaction records.
In a statement released Wednesday, iFood pushed back against earlier reports suggesting that 43 million records had been leaked. After what the company described as successive analyses, it determined that the material circulating online referred only to the December incident, which it says was "rapidly neutralized" by existing security protocols. The company emphasized that no banking data or transaction information had been accessed, a distinction meant to separate the breach from scenarios where financial harm might be immediate and widespread.
The timing of the public acknowledgment—nearly six months after the incident occurred—raises questions about how long iFood took to detect and disclose the breach to affected users. The company did not address this gap directly, instead focusing on its compliance with Brazil's General Data Protection Law, known as the LGPD. In its statement, iFood said it continues to adopt protective measures and monitor the situation to prevent future incidents, language that suggests ongoing investigation rather than closure.
The breach arrives at a moment when Brazilian tech companies face increasing scrutiny over data security practices. iFood, one of the country's most widely used food delivery platforms, holds intimate details about millions of users—their addresses, phone numbers, payment preferences, and eating habits. A breach of this scale, even one limited to names and CPF numbers, demonstrates the vulnerability of centralized databases holding sensitive personal information at scale. The company's assertion that it remains in strict compliance with the LGPD will likely be tested as regulators and affected users assess whether the security measures in place were adequate, and whether the disclosure timeline met legal obligations. What remains to be seen is whether this incident prompts broader changes to how the platform protects user data, or whether it becomes another data breach absorbed into the growing list of Brazilian tech security incidents.
Citações Notáveis
The security of our community is a priority and we continue to act in strict compliance with the General Data Protection Law to continuously improve our systems.— iFood statement
A Conversa do Hearth Outra perspectiva sobre a história
Why did it take iFood six months to publicly acknowledge a breach that happened in December?
The company didn't explicitly say. They confirmed the incident on Wednesday but didn't explain the timeline between discovery and disclosure. That gap is significant—it suggests either they took time to investigate the scope, or there's a question about when they actually found out.
If passwords weren't exposed, does that mean users' accounts are still secure?
Technically, yes—someone can't log in as you without your password. But they have your name and CPF, which in Brazil is enough to impersonate you for credit applications or other fraud. The lack of password exposure is a relief, but it's not a clean bill of health.
The company says 2 percent of users were affected. Does that number feel small to you?
On paper, yes. But 1.2 million people is a real number of real people whose identities are now in circulation somewhere. Whether it's 2 percent or 5 percent, the absolute scale is what matters to the person whose CPF was exposed.
What about the claim that iFood is LGPD compliant?
That's what they're saying, but compliance and security are different things. You can follow the law and still have a breach. The real question is whether their security measures were adequate—and whether they disclosed this fast enough, which the law requires.
Will this change how people use iFood?
Some users will be more cautious. Others won't notice or care. But for a platform built on trust and convenience, knowing your data was exposed—even if passwords weren't—creates a crack in that trust that's hard to repair.