Two threads on a data selling forum offer information that would otherwise come from Habib’s fast food chain. In both, the set of information surpasses the mark of 3 million customers. The leak is also on a public listing and has been notified to Serasa’s customers.
The tip arrived at Techblog through an email from reader Eric. He reports having received a notification from Serasa about the leakage of personal information: CPF, address, email and telephone number.
ReclameAqui has more than a dozen similar cases. Customers say they have been alerted by the credit bureau, which offers a personal information monitoring service. Habib’s did not answer any of the calls on the platform.
When contacted, Serasa did not provide further details on how it identified that this data was on the dark web, information that appears in notifications sent to customers. O Techblog did a search and found some more evidence of this leak.
Data is sold on criminal forums
We found two threads offering Habib’s data on a leak information buy and sell forum.
In one of them, the user offers two files. One of them would be sourced from the mobile application, while the other’s data would be from the back-end of the web system. Altogether, the two would add up to 1.8 GB and have information on more than 3.5 million users.
In a small sample, the user displays the columns that would be in the database:
id, avatar, nome, email, nascimento, tipo_publico, plataforma, facebook, apple_id, cpf, telefone, device_id, ip, conta_id, usuario_id, time, endpoint, aparelho, senha, genero, fidelizado, ofertas_email, ofertas_sms, origem, pontuou, usou_pontos_habibers, telefone2
In the same thread, another user responds that there are no passwords in the database — on all entries, the field is either empty or null. The two links provided are broken, and the topic has been moved to the removed bases area.
In another thread, a different user tries to sell a set of 3 million Habib’s dice. The base would focus on address information, such as segment, street, neighborhood, city and state.
Leakage appears on a website that lists incidents
Serasa’s service seems not to have been the only one to notice that there was a fast food chain data sale going on out there. O Leak-Lookup, a site that lists leaks, also has information about the incident.
The registered information points to more than 3.9 million entries, with columns such as e-mail, full name, IP address, telephone number and user ID — here, at least, there is no CPF and address.
None of the leaks appear to contain passwords, at least apparently. Even so, reader Eric claims that his password manager also warned that Habib’s had been compromised. In my case, it’s still listed as safe, but it doesn’t work on the website anymore, only on the app.
Habib’s does not manifest
O Techblog sent an email to Habib’s press office on Friday (5). So far, there has been no response. The company also did not manifest itself on its social networks or respond to complaints on ReclameAqui, a platform on which it is usually quite active.
It is worth remembering that the General Data Protection Law (LGPD) determines, in its Article 48, that incidents of this type must be reported to the National Data Protection Authority (ANPD), the body responsible for investigating such episodes and applying penalties. Data subjects should also be informed.
Let’s follow the unfolding of this story to see if it really works and if it won’t end up in pizza — or rather, in esfiha.
Collaborated: Felipe Ventura.