iFood confirms data breach affecting 1.2 million users

As noted by HackRead, Brazilian food delivery app iFood has confirmed a data breach that occurred in December 2025, impacting approximately 1.2 million users, which represents about 2% of its customer base. The company announced on Wednesday, June 3, that the incident involved unauthorized access to sensitive user information.

The breach resulted in the exposure of names, phone numbers, addresses, and CPF numbers, which are crucial Brazilian taxpayer identification documents used for various daily transactions. iFood has clarified that passwords, bank details, and credit card information were not compromised. This confirmation follows conflicting reports, including a hacker's claim on BreachForums of stealing around 43.8 million customer records. iFood has strongly refuted these larger numbers, stating no evidence supports such a widespread impact. However, some hackers have suggested the admitted 1.2 million leak is a separate, older incident, and a more recent, larger theft might still be valid.

The situation raises concerns under Brazil's data protection law, LGPD. iFood opted not to send formal alerts to affected users, citing ANPD criteria that waive notification if an incident poses no significant risk or harm. Despite this, CPF numbers are valuable for identity fraud, and iFood urges customers to rely solely on official app communications for security.

Source: HackRead