A person's CPF is tied to credit history, tax records, and financial accounts.
Em dezembro de 2025, uma das maiores plataformas de entrega do Brasil viu dados pessoais de 1,2 milhão de usuários expostos — nomes e CPFs, fragmentos de identidade que, nas mãos erradas, abrem portas para fraudes e impersonificações. O iFood confirmou o incidente meses depois, pressionado por uma ameaça anônima que inflava o número para 43 milhões de afetados. Entre a versão da empresa e a do denunciante desconhecido, 1,2 milhão de pessoas navegam agora numa zona de incerteza que a tecnologia criou e que a confiança, sozinha, não resolve.
- Uma ameaça anônima circulou online alegando que dados de 43 milhões de usuários — incluindo cartões de crédito e e-mails — estavam prestes a ser vazados, criando pânico desproporcional ao que a empresa viria a confirmar.
- O iFood foi forçado a revelar publicamente uma brecha que havia ocorrido seis meses antes, em dezembro de 2025, sem comunicação imediata aos usuários afetados.
- A empresa rebateu as alegações mais graves, afirmando que senhas, métodos de pagamento e dados financeiros permaneceram intactos — mas a demora na divulgação alimenta desconfiança sobre o que mais pode ter ficado sem resposta.
- Para 1,2 milhão de brasileiros, a exposição de nome e CPF não é abstrata: esses dados são a chave de acesso ao histórico de crédito, registros fiscais e contas financeiras, tornando o risco de fraude concreto e duradouro.
- O iFood não detalhou como pretende notificar os afetados ou oferecer serviços de monitoramento, lacuna que contrasta com as boas práticas esperadas após incidentes dessa natureza.
O iFood confirmou na quarta-feira que uma brecha de segurança ocorrida em dezembro de 2025 expôs dados pessoais de aproximadamente 1,2 milhão de usuários — cerca de 2% de sua base total de clientes. As informações comprometidas incluem nomes e números de CPF, mas a empresa afirma que senhas, formas de pagamento e registros financeiros não foram acessados.
A divulgação não foi espontânea. Ela veio à tona depois que uma conta anônima ameaçou publicar dados de 43 milhões de usuários, citando cartões de crédito e endereços de e-mail. O iFood negou categoricamente essa versão, descrevendo o incidente real como contido rapidamente por seus protocolos internos de segurança — uma narrativa de controle que contrasta com o silêncio mantido nos seis meses entre a brecha e o anúncio público.
Para os afetados, a exposição de nome e CPF não é trivial. No Brasil, o CPF está vinculado a histórico de crédito, obrigações fiscais e contas bancárias. Combinado ao nome, torna-se um instrumento de impersonificação. A empresa não informou se notificará individualmente os usuários atingidos ou oferecerá serviços de monitoramento de identidade — medidas que se tornaram padrão em situações semelhantes.
A discrepância entre os 1,2 milhão confirmados e os 43 milhões alegados sugere ou uma tentativa de extorsão com dados fabricados, ou um acesso parcial à extensão real do problema. O que permanece em aberto é se o número divulgado pelo iFood é definitivo — e se a confiança depositada na empresa para guardar o que importa, os dados financeiros, está de fato bem fundada.
iFood acknowledged on Wednesday that personal information belonging to roughly 1.2 million of its users was exposed in a security breach that occurred in December 2025. The company moved quickly to frame the incident as contained and limited in scope—the affected accounts represent about 2 percent of its total customer base.
The breach exposed registration data: names and individual taxpayer identification numbers, known in Brazil as CPF. What it did not touch, according to iFood's statement, were passwords, payment methods, or any financial records tied to user accounts. The company said its internal security protocols detected and stopped the incident rapidly.
But the disclosure came amid a larger, more alarming claim circulating online. An anonymous account had threatened to release sensitive information on 43 million users—a figure that would have encompassed nearly a third of iFood's customer base. That threat included references to credit card data and email addresses. iFood's statement was, in part, a direct rebuttal to those claims. The company flatly denied that the breach reached anywhere near that scale or that it exposed the kinds of financial details the anonymous poster had suggested.
The timing of the public confirmation is notable. The breach itself happened six months earlier, in December. iFood did not announce it immediately. The company's decision to speak about it now came as the anonymous threat gained traction online, forcing the company's hand. In its statement, iFood emphasized that the incident had been "contained quickly" through internal protocols, a phrase meant to reassure users that the company had acted decisively once the problem was identified.
For the 1.2 million affected users, the exposure of names and CPF numbers carries real risk. These pieces of information are foundational to identity theft and fraud in Brazil. A person's CPF is tied to credit history, tax records, and financial accounts. Combined with a name, it becomes a tool for someone to impersonate that person or open accounts in their name. iFood did not specify what steps it was taking to notify affected users or offer them monitoring services, though such measures are increasingly standard in the aftermath of breaches of this kind.
The company's denial of the 43 million figure is significant because it suggests someone either fabricated the larger number as part of an extortion attempt or possessed incomplete information about the actual scope of the breach. Either way, iFood's confirmation of 1.2 million affected users establishes a baseline. Whether that number itself is complete, or whether additional data was exposed beyond what the company has disclosed, remains an open question. For now, iFood is asking users to trust that the damage is limited and that the company's security measures held where it mattered most—at the gates of financial data.
Notable Quotes
The incident was contained quickly by internal protocols and did not reach passwords, payment methods, or financial records.— iFood statement
The Hearth Conversation Another angle on the story
Why did iFood wait six months to say anything about this?
The company didn't volunteer the information. An anonymous account online threatened to release data on 43 million users, and that's what forced iFood to respond. Once the threat went public, silence became impossible.
So the 43 million number—is that real?
iFood says no. They're saying it's either fabricated or wildly inflated. What we know is that 1.2 million people had names and CPF numbers exposed. That's real. The rest is a claim they're disputing.
Why does a CPF matter so much?
In Brazil, your CPF is like a master key. It connects to your credit history, your tax records, your financial life. Someone with your name and CPF can open accounts, take out loans, commit fraud in your name. It's not just a number—it's an identity.
Did iFood say what it's doing for those 1.2 million people?
The statement doesn't mention notification plans or monitoring services. They said the incident was contained and that passwords and payment data weren't touched. But they didn't outline what comes next for the people affected.
What should those users do?
Watch their credit reports. Monitor for unexpected accounts or charges. The company says financial data wasn't exposed, but having your name and CPF in the wild means you need to be vigilant. Trust, but verify.