Skip to content
Cyber Breaches
Search
Data breachunresolved

Brazil 223-million mega-leak

The largest personal-data leak in Brazilian history: databases on roughly 223 million people — including names, CPF tax IDs, facial images, salaries and credit scores — surfaced for sale on a dark-web forum, with suspicion pointing at credit-bureau data.

Victim
Brazilian population (credit-bureau-linked databases)
records
223.0M
users
223.0M
SectorFinanceOther
CountryBrazil
Threat actorUnknown dark-web seller

On 20 January 2021, Brazilian researchers revealed what remains the largest personal-data leak in the country's history: databases offering the personal information of roughly 223 million people — more than Brazil's entire living population — for sale on a dark-web forum.

What happened

The leak was first surfaced by PSafe's dfndr lab and the technology portal Tecnoblog, who found a seller on a hacker forum advertising a sprawling collection of Brazilian databases. Because the population figure exceeds Brazil's ~210 million inhabitants, analysts concluded the trove also contained records of deceased individuals, kept on file by data brokers and credit bureaus.

The data was extraordinarily detailed. Beyond names, CPF tax identifiers, dates of birth and gender, the records reportedly included facial images, addresses, phone numbers, email addresses, salary and income figures, credit scores, purchasing-power ratings, marital status, named relatives, voter-registration numbers, education level, LinkedIn profiles and even geographic coordinates. Separate datasets exposed roughly 104 million vehicle records and tens of millions of Brazilian companies.

The seller offered a free, condensed sample and sold the complete material in packages — starting around $500, payable only in Bitcoin — with per-person pricing as low as a few cents.

The Serasa Experian question

The structure and richness of the data — particularly the credit scores and consumer-categorisation fields — led many researchers to suspect it originated from Serasa Experian, Brazil's dominant credit bureau. Serasa publicly denied that its systems were the source, stating that an internal and external forensic review found no evidence of a breach of its environment. The origin of the leak has never been officially confirmed, and no perpetrator has been identified.

Impact and fallout

  • An exposure of this scale effectively means near-universal identity-fraud risk for adult Brazilians, enabling synthetic-identity fraud, account takeover and targeted phishing.
  • Brazil's Senate, the consumer agency Senacon, and the newly-operational National Data Protection Authority (ANPD) all opened inquiries, making this an early stress-test of the LGPD, Brazil's GDPR-style data-protection law that had entered force in 2020.
  • In January 2026, a group claim tied to the episode was filed in the English High Court against Experian entities.

Why it matters

The mega-leak crystallised a structural problem: in a data-broker economy, a single aggregated database can expose an entire nation at once, and attribution becomes nearly impossible when the same fields are held by many companies. It became the defining test case for Brazil's young data-protection regime — and a warning that the most damaging breaches may not be intrusions into one firm, but the quiet commercialisation of everyone's data.

Timeline

  1. A dark-web forum seller begins advertising databases covering the personal data of the entire Brazilian population.

  2. Brazilian cybersecurity firm PSafe's dfndr lab and tech portal Tecnoblog publicly reveal the leak of data on ~223 million people.

  3. Researchers report the leak also includes ~104 million vehicle records and tens of millions of company records.

  4. Serasa Experian states it is investigating but says it found no evidence its systems were the source.

  5. Brazil's Senate, the consumer-protection agency Senacon and the national data-protection authority (ANPD) open inquiries.

  6. A group claim linked to the leak is filed in the English High Court against Experian entities.

Sources

  1. business-humanrights.orghttps://www.business-humanrights.org/en/latest-news/brazil-largest-personal-data-leakage-exposes-223-million-people-and-includes-facial-images-salary-credit-score-addresses-and-tax-identifiers/
  2. opendemocracy.nethttps://www.opendemocracy.net/en/largest-personal-data-leakage-brazilian-history/
  3. cybernews.comhttps://cybernews.com/security/brazil-serasa-massive-data-leak-claim/
  4. syhunt.comhttps://www.syhunt.com/en/index.php?n=Articles.BrazilDataLeak2021

Related incidents

Data breachResolved

Descomplica data breach (2021)

In March 2021, the Brazilian EdTech company Descomplica suffered a data breach which was subsequently posted to a popular hacking forum. The data included almost 5 million email addresses, names, the first 6 and last 4 digits and the expiry date of credit cards, purchase histories and password…

Victim
Descomplica
Records
4.8M
Data breachResolved

Carding Mafia (December 2021) data breach (2021)

In December 2021, the Carding Mafia forum suffered a data breach that exposed over 300k members' email addresses. Dedicated to the theft and trading of stolen credit cards, the forum breach also exposed usernames, IP addresses and passwords stored as salted MD5 hashes.

Victim
Carding Mafia (December 2021)
Records
303.9K
Data breachResolved

FlexBooker data breach (2021)

In December 2021, the online booking service FlexBooker suffered a data breach that exposed 3.7 million accounts. The data included email addresses, names, phone numbers and for a small number of accounts, password hashes and partial credit card data.

Victim
FlexBooker
Records
3.8M
Data breachResolved

RedLine Stealer data breach (2021)

In December 2021, logs from the RedLine Stealer malware were left publicly exposed and were then obtained by security researcher Bob Diachenko. The data included 441 thousand unique email addresses, usernames and plain text passwords.

Victim
RedLine Stealer
Records
441.7K