A file with more than 40 million CNPJs is circulating on the internet with the fancy name and corporate name of legal entities. As found Tecnoblog, this is the preview of another even bigger base, which includes the credit score, debts, list of partners and more. The suspicion is that these data came from Serasa Experian, as well as the leak that affected 220 million Brazilians; the company denies it.
Two leaks of CNPJs
There are two distinct leaks. One of them seems more harmless, because it only includes the CNPJ, corporate name, trade name and date of foundation of the companies.
This data set is being distributed for free on a well-known forum on the open internet (not on the dark web). It contains 2.9 GB of data and would have been compiled in August 2019. In total, there are 40,183,784 CNPJs listed.
Then we have the second leak, more complete, also with 40,183,784 CNPJs. It brings a lot of other information: e-mail, telephone, address (with latitude and longitude), list of partners with CPF and shareholding, legal representative and share capital value.
Leak came from Serasa Experian?
Several of these data could be obtained through the IRS website, but not all – and this gives a clue as to where this content may have come from.
One of the folders contains information from Mosaic, a Serasa Experian service that classifies companies in different segments as “large, traditional and influential”, “small rural traders” and “young entrepreneurs on the rise”. The idea is to help prospect customers and target ads.
Another portfolio is related to the credit score, with the score and the level of risk (very low, low, medium, high and very high). In the leak, there is also a list of debts with their respective values.
In a statement to the Tecnoblog, Serasa Experian says it is aware of “third party claims about data made available on the dark web”. She claims to have carried out an investigation, but “at the moment we see nothing that indicates that Serasa is the source”.
What’s in the CNPJ leak?
This more complete leak is not free: it costs from $ 0.05 to $ 50 per CNPJ, depending on how much data is purchased. Payment is made only via bitcoin, with release in minutes or hours.
The following are the 17 categories of information present in the file for sale; O Tecnoblog discovered these details with the help of DataBreaches.net.
- basic: CNPJ, corporate name, trade name, registration (head office / branch, situation), date of foundation, number of employees, size, legal nature
- telephone: Area code, number, operator, plan, line type (fixed, prepaid, postpaid), installation date
- Address: street address, number, neighborhood, city, state, zip code, type (residential / commercial), latitude and longitude
- business: name and CPF of the company’s partners, participation (shares and%), date of entry into the company
- legal nature (corporation, individual entrepreneur, cooperative, public agency, etc.)
- legal representative: CPF and name of representative, registration status (active / downloaded / unfit)
- operating class: hours of operation (24h, commercial 9 am to 6 pm, lunch, night etc.), type of distribution (physical retail, online retail, physical wholesale)
- share capital value
- Simples Nacional and SIMEI: situation (opt / non-opt)
- IRS: foundation date, registration status (active / downloaded / inept)
- Sintegra: state registration number, activity start date, registration status
- Mosaic: targeting group and subgroup
- credit score: risk score, risk level (low / medium / high)
- bad checks: bank code and branch, reason (no funds / account closed)
- Debtors: type (principal, co-responsible), responsible unit, registration, type of credit (fine, IRPJ, COFINS, CSLL etc.), amount