Data such as CPF, CNPJ, address and telephone contracts of more than 102 millions of Brazilians are publicly available on a website, warns the virtual security company PSafe.
- Operator T-Mobile confirms data leakage of 102 millions of customers
- Eletropaulo is ordered to indemnify customer of 100 years due to data leakage
Block of the bank slip comes back redesigned using data collected in mega-leakage
The site was discovered by dfndr lab, PSafe’s laboratory specializing in digital security, from the dfndr enterprise tool, which uses Artificial Intelligence (AI) to identify possible data leaks, from constant scans on both the common and deep internet web and na dark web.
This website was found in 19 from September, and has since been analyzed by the dfndr lab. According to the researchers, the page makes data such as name, CPF, address, gender, date of birth, e-mail and even income available for consultation.
Want to catch up on the best tech news of the day? Access and subscribe to our new channel on youtube, Canaltech News. Every day a summary of the main news from the tech world for you!
The page also allows users to consult information regarding contracts with telephone and TV companies by subscription, such as landline and mobile phone number, type of plan contracted, contract date, contract number and payment method. According to PSafe, anyone with internet can access the address and consult the data, without any type of block or credential.
PSafe has made available a list of points that the population should pay more attention to during the coming months, due to the data available on the page:
- Be aware of the hiring of unknown services and loans in your name;
- Frequently change your passwords and create a second factor of authentication;
- Do not click on suspicious links that have been forwarded on your phone or email;
- Do not open email from unknown recipients;
PSafe claims to have already prepared and sent a report on the page to the National Data Protection Authority (ANPD), the body responsible for overseeing the General Data Protection Law (LGPD).
The site is another chapter of a 2021 complicated in terms of security of data for the Brazilian people. In January, researchers from the dfndr lab identified a leak that exposed the CPF of much of the population. In February, more 102 millions of Brazilians, including President Jair Bolsonaro, had information such as line records telephone numbers and addresses marketed on forums on the dark web. Finally, in July, RGs, CPFs and driver’s licenses from a total of 109 million national users were offered for sale by criminals, also on forums.
Data Hazards Exposed
With so much sensitive data publicly available, Emilio Simoni, chief security officer at PSafe, warns of the risk of new scams: “We’re talking about a super base, probably enriched from the compilation of other possible leaks. In the hands of cybercriminals, this data is a ‘full platter’ for applying social engineering scams, which is when scammers use this information to trick victims into taking action that will harm them. Knowing that this data is freely available on the open Internet, we need to alert the population to be even more suspicious of phone calls and messages that use this information to gain their trust”, he explains.
Simoni also warns that, in the hands of criminals, this information can generate risk situations for the population. The executive recommends that people pay attention to their bank accounts and any unusual activity in them, from unauthorized access to loans. He concludes that, with this data, criminals can even open companies and fake accounts to apply scams, all in the name of people who were affected by the information on the site.
PSafe researchers say that, so far, it is not possible to say whether there was really any data leakage for the creation of this site, but they point out that there are indications in the database itself that the data may come from records of telecommunication operators.
Canaltech contacted the press offices of Vivo, Tim, Claro and Oi to find out if the companies are aware of the site and if the data contained in it could be the result of any leakage of records that they may have suffered. Until the publication of this article, none of the companies mentioned had responded to the request.
Did you like this article?
Subscribe your email on Canaltech to receive daily updates with the latest news from the world of technology.