With names and CPF numbers in circulation, there is real risk of fraud
Em dezembro de 2025, os dados pessoais de 1,2 milhão de usuários do iFood — nomes e CPFs — foram expostos em uma brecha de segurança que a empresa só tornou pública seis meses depois. O incidente, que afetou cerca de 2% da base de clientes da plataforma, não comprometeu senhas nem registros financeiros, segundo a própria companhia. Ainda assim, o episódio coloca em evidência uma tensão permanente da era digital: a distância entre a promessa de proteção e a vulnerabilidade silenciosa dos dados que confiamos a sistemas que mal enxergamos.
- 1,2 milhão de brasileiros tiveram nomes e CPFs expostos em um vazamento ocorrido em dezembro de 2025 — documentos suficientes para abrir crédito fraudulento ou criar contas em nome de terceiros.
- A divulgação pública veio quase seis meses após o incidente, levantando dúvidas sobre se o iFood cumpriu o prazo exigido pela LGPD para notificar usuários e autoridades.
- A empresa garante que senhas, formas de pagamento e dados financeiros permaneceram intactos, enquadra o caso como isolado e afirma que seus sistemas contiveram o vazamento rapidamente.
- Golpistas podem agora se passar pelo iFood para contatar os afetados — o próprio alerta da empresa sobre canais oficiais revela esse risco secundário em curso.
- Reguladores e defensores da privacidade devem examinar a linha do tempo do caso, colocando o iFood sob escrutínio quanto ao cumprimento real de suas obrigações legais.
O iFood confirmou na quarta-feira que um incidente de segurança ocorrido em dezembro de 2025 expôs dados pessoais de 1,2 milhão de usuários — cerca de 2% de sua base de clientes. As informações comprometidas incluem nomes e números de CPF, o documento de identificação fiscal brasileiro. A empresa afirma que senhas, métodos de pagamento e registros financeiros não foram acessados.
Em nota, o iFood lamentou o ocorrido, classificou o incidente como isolado e disse que seus sistemas de segurança agiram rapidamente para contê-lo. A companhia reforçou que opera em conformidade com a Lei Geral de Proteção de Dados (LGPD) e pediu que os usuários verifiquem qualquer comunicação exclusivamente pelos canais oficiais da plataforma — um alerta que, por si só, sinaliza o risco de golpistas se aproveitando do vazamento para abordar as vítimas.
O ponto mais sensível da história, porém, é o tempo: o incidente aconteceu em dezembro, mas só foi divulgado publicamente em junho — uma lacuna de quase seis meses que pode colocar a empresa em rota de colisão com as exigências da LGPD, que determina notificação sem demora injustificada. Para 1,2 milhão de pessoas com CPF circulando em mãos desconhecidas, o risco de fraudes de identidade é concreto e imediato. A resposta do iFood aposta na tranquilização — mas o quanto essa aposta se sustenta dependerá, em grande parte, do que os reguladores encontrarem ao examinar a conduta da empresa.
iFood announced on Wednesday that a security breach had exposed the personal information of 1.2 million of its users—roughly 2 percent of its total customer base. The company said the incident occurred in December 2025 and was contained quickly by its security systems.
According to iFood's account, the compromised data consisted of registration information: names and CPF numbers, the Brazilian tax identification document that serves as a national ID. The company stated explicitly that passwords were not exposed, payment methods remained secure, and no financial records were accessed or leaked.
In a statement, iFood expressed regret over the breach and reminded users that all legitimate communications from the platform come through official channels only. The company emphasized that protecting its user community is a core priority and said it continues to operate in full compliance with Brazil's General Data Protection Law, known by its Portuguese acronym LGPD, while working to strengthen its security infrastructure.
The timing of the disclosure—nearly six months after the December incident—raises questions about how long the company took to identify and publicly acknowledge the breach. iFood's framing of the event as isolated and quickly contained suggests the company views this as a contained incident rather than a sign of systemic vulnerability, though 1.2 million exposed identities represents a significant exposure to potential fraud and identity theft.
For users affected, the practical concern is immediate: with names and CPF numbers in circulation, there is real risk of fraudulent credit applications, unauthorized accounts opened in their names, or other forms of identity misuse. The company's warning about verifying communications through official channels hints at a secondary risk—scammers may now contact affected users claiming to be from iFood, offering assistance or requesting additional information.
The breach also places iFood under scrutiny regarding its LGPD obligations. Brazil's data protection law requires companies to notify affected individuals and relevant authorities without undue delay when a breach occurs. The six-month gap between the December incident and the June announcement will likely draw attention from regulators and privacy advocates monitoring whether the company met its legal obligations.
For a platform that processes millions of food orders and payment transactions daily, data security is foundational to user trust. iFood's response now centers on reassurance: the company is asking users to remain vigilant, to trust only official communications, and to have confidence that its systems are being continuously improved. Whether that reassurance holds will depend partly on what regulators uncover about the timeline and handling of the breach.
Notable Quotes
The security of our community is a priority and we continue operating in full compliance with LGPD while strengthening our systems— iFood statement
The Hearth Conversation Another angle on the story
Why did it take six months for iFood to tell people their data was exposed?
The company hasn't explained the timeline clearly. They say the breach happened in December and was contained quickly, but we don't know when they actually discovered it or when they decided to go public. That gap matters legally under LGPD.
If only names and CPF numbers were exposed, how serious is this really?
Very serious. A CPF is like a Social Security number—with that and a name, someone can open credit accounts, apply for loans, or commit fraud in your name. It's not as immediately damaging as stolen credit card data, but it's a long-term identity risk.
What's the company's actual exposure here—legally, I mean?
They could face fines under LGPD if regulators determine they didn't notify people quickly enough or didn't handle the breach properly. They could also face lawsuits from affected users. The fact that they're emphasizing compliance now suggests they're aware of that risk.
Why warn people about fake iFood communications if the breach is contained?
Because scammers will absolutely use this. Once they know 1.2 million people had a breach, they'll call or email pretending to be iFood support, asking for verification or offering help. It's a secondary attack vector.
Does this change how people should think about using iFood?
Not necessarily. The company says payment data wasn't touched, which is the most critical piece. But it's a reminder that no platform is invulnerable, and users should monitor their credit and be skeptical of unsolicited contact claiming to be from iFood.