✓ verbatim from the press
iFood confirmed on Wednesday that 1.2 million users — about 2% of its base — had personal data breached in December 2025. The company said only registration data like names and tax IDs were exposed, without compromising passwords, payment methods or financial information. ✓
Press quotes (1)
"O aplicativo iFood informou, nesta quarta-feira (3), que foi registrado um vazamento de dados de usuários em dezembro de 2025 que afetou cerca de 2% de sua base, ou seja, cerca de 1,2 milhão de pessoas"
The company did not report the incident to Brazil's National Data Protection Authority (ANPD) or affected users. According to iFood, "LGPD waives reporting and communication when the event does not pose relevant risk or damage to data subjects, according to regulatory criteria defined by ANPD." ANPD confirmed it received no formal communication but requested information about the case. ✓
Press quotes (1)
"O iFood optou por não comunicar formalmente o vazamento à Autoridade Nacional de Proteção de Dados (ANPD) nem aos titulares afetados. A decisão se baseia na interpretação de que a Lei Geral de Proteção de Dados (LGPD) "dispensa o reporte e comunicação quando o evento não acarreta risco ou dano relevante aos titulares, de acordo com os critérios regulatórios definidos pela ANPD"."
The controversy intensified after a hacker on Breach Forums claimed to have stolen data from 43.8 million iFood users, including tax IDs, names, emails, phone numbers and credit card data, demanding payment by June 10. iFood denied the breach was of such magnitude, reaffirming that only 1.2 million users were affected with basic registration data. ✓
Press quotes (1)
"O site sobre cibersegurança Dark Web Informer, que monitora fóruns da dark web, relatou que na última semana um usuário do Breach Forums, comunidade de hackers, afirmou ter roubado dados de 43,8 milhões de usuários do iFood"
According to ANPD, Brazil's General Data Protection Law requires data controllers to communicate security incidents to the authority and data subjects within three business days when they may pose relevant risk or damage. The assessment should consider the nature of the data, volume of people impacted and potential effects of the incident. ✓
Press quotes (1)
"Em nota, a ANPD confirmou que não recebeu comunicação de incidente de segurança envolvendo o iFood, mas que solicitou as informações necessárias, e disse que a LGPD (Lei Geral de Proteção de Dados) determina que o controlador dos dados comunique à ANPD e aos titulares dos dados pessoais, em até três dias úteis"
The breach occurred in December 2025 and affected 1.2 million users (2% of iFood's base)
Only registration data (names and tax IDs) were exposed, without compromising passwords, payments or financial data
A hacker on Breach Forums claimed to have data from 43.8 million users and demanded payment by June 10
Covered by only some sources, or where the accounts diverge.
Points disputed between the actors (1)
The same outlets report both versions — the contradiction is between the actors in the story, not between outlets.
Scope of data allegedly leaked by hacker versus confirmed by iFood
-
What was the technical method used in the cyberattack and is there evidence of malicious use of the leaked data?
Why it's still unknown: iFood only mentioned it was a 'cyberattack quickly contained', without detailing the access vector or subsequent impact
-
When exactly in December 2025 did the breach occur and how long did it take to detect and contain?
Why it's still unknown: Sources only report it was 'in December 2025', without specifying start, detection and containment dates
-
What will be ANPD's formal position after analyzing the requested information from iFood about LGPD compliance?
Why it's still unknown: ANPD only confirmed it requested information, but has not yet issued a position on the adequacy of iFood's decision not to report the incident
-
Is there a relationship between the December breach confirmed by iFood and the hacker's claim on Breach Forums about 43.8 million users?
Why it's still unknown: It's unclear whether these are distinct incidents or if the hacker is exaggerating the scope of the same December breach