Leak of 223 million CPFs is sold in “promotion” for $ 30,000 | Antivirus and Security

The leak with data of 223 million CPFs and 40 million CNPJs is for sale at a much lower price than initially charged, according to the Tecnoblog: US $ 30 thousand for information such as address, e-mail, telephone, voter registration, credit score, income, purchasing power, family bonds and INSS. According to rumors, the entire file ended up leaking, so it would be worth less.

Leaked data (Image: Vitor Pádua / Tecnoblog)

Leaked data (Image: Vitor Pádua / Tecnoblog)

How are leaked personal data being sold?

The hacker outlined the sale as follows: he divided the leak into 40 parts; the first one is sent without prior payment. Anyone interested pays $ 750 in bitcoin, notifies them by message that they have made the deposit, and receives the link to download part 2. This is repeated successively for all subsequent files, totaling the $ 30 thousand.

Each portion of the leak contains data of exactly 5,593,481 CPFs and 1,004,596 CNPJs. Altogether, they are 960 GB in files (96 GB when compressed).

The announcement, released on a forum by the same vendor who had announced the 223 million CPFs, is entitled “Serasa Experian Full Database”. Serasa has repeatedly denied that it is the source, pointing out that it does not have data such as INSS records, vehicle records and LinkedIn information – all present in the leak.

“So far there is no evidence that data has been obtained illegally from Serasa,” said the company in a recent statement. “There is also no evidence that their systems have been compromised.”

Experts believe that the hacker obtained this information from several sources. He does not disclose where he got all this from, but he guarantees that these databases are used “by the biggest big data providers in Brazil”.

File with leaked data cites SQL server name and tables (Image: Reproduction)

File with leaked data cites SQL server name and tables (Image: Reproduction)

Why is the hacker charging less for the leak?

When the leak was announced in January, there was a price scale: a package with a hundred CPFs cost $ 100; whoever took two thousand units paid proportionally less (US $ 500); and whoever bought data from twenty thousand people paid US $ 2 thousand. With that, the sheet estimated that the hacker could earn about $ 15 million.

Why is he now charging $ 30,000? There is strong evidence that the data is indeed legitimate, and buyers will be able to test this, as part 1 of the leak is a “free” sample: the buyer does not need to pay for it immediately, but the amount will be charged to release the last one part (number 40).

In the “free” file, the buyer will be able to verify if the data of the 5.5 million CPFs, organized sequentially, are really valid. If there were false information, it would hurt the seller, who would not earn a penny.

So what could have brought the price down? There is still little information about this, but the Tecnoblog found that the mega-leak attracted the interest of other hackers and security researchers, and they would have been able to obtain the complete file.

Authorities investigate CPF leak

CPF (Image: Emerson Alecrim / Tecnoblog)

CPF (Image: Emerson Alecrim / Tecnoblog)

The hacker had a harder time selling the leak after it fell into the sights of the STF (Supreme Federal Court). Minister Alexandre de Moraes determined in early February that four links related to the subject should be dropped, including the forum topic that sold the database; it should also be removed from Google, Bing and other search engines.

None of this happened – the link itself still works today and still appears in search results – but the topic has been deleted. The seller’s last public post on the forum in question is January 18th.

The ANPD (National Data Protection Authority) is investigating the leak of 223 million CPFs. The Federal Police, in turn, also investigates the incident under the order of the STF.

As detailed in the Tecnoblog exclusively, these are the categories present in the leak of CPFs and CNPJs:

Categories in CPF leak Categories in the leak of CNPJs
– basic (name, CPF, gender, date of birth, father’s name, mother’s name)

– marital status

– family bond

– email

– telephone

– address

– households

– education

– university students (name of college, course, year of entry and year of completion)

– occupation

– job

– wage

– income

– social class

– purchasing power

– Bolsa Família

– voter registration

– RG


– CNS (National Health Card)

– NIS (Social Identification Number)



– IRPF (income tax)


– credit score

– Debtors

– bad checks

– Mosaic

– affinity

– analytical model (provides a chance for consumers to have an affinity to buy a product or service)

– photos of faces

– LinkedIn (ID number and profile access URL)

– business (name of partner, participation, company name, etc.)

– public servants

– advice (people who provide advice in the public or private sphere)

– Deaths

– basic (CNPJ, corporate name, trade name, registration, etc.)

– telephone

– address

– business (name and CPF of members, participation)

– legal nature (corporation, individual entrepreneur, etc.)

– legal representative

– class of operation

– share capital value

– Simples Nacional and SIMEI


– Sintegra


– Mosaic

– credit score

– bad checks

– Debtors

Leave a Comment