A major personal data leak in recent weeks has been reported in the press, affecting more than 223 million Brazilians. This is an extensive and complete base, of which there is still not much certainty regarding the origin and responsibility. However, security experts have confirmed that this is "hot" and valid data, which is for sale on the so-called "dark web" (parts of the internet normally not accessible to normal browsing). In view of this, we bring some practical recommendations about the type of threat that can arise for each of us from this leak and how to protect ourselves.
- Sim, você foi afetado e pode ser um alvo de fraudes.
A quantidade de dados vazadas possui um número de CPFs muito maior do que a quantidade de CPFs ativos no momento (somos aproximadamente 210 milhões de Brasileiros). Por isso, é muito provável que você tenha sido afetado. Considere que pessoas maliciosas podem, sim, ter informações sobre você e que você estará sujeito a golpes de engenharia social (“phishing”) e a roubo de identidade mais frequentemente nos próximos tempos. Foi criado o site <fuivazado.com.br> para confirmar se você foi afetado, mas consideramos desnecessário a sua consulta considerando a abrangência do vazamento e a falta de informações sobre o funcionamento desse site (ainda que tenha sido avalizado pelo reconhecido site de tecnologia TechMundo).
- Know what data may be in the possession of third parties.
This may have been the most comprehensive data leak ever recorded in terms of content. The data leaked includes, among others: names and documents (including CPF, RG, voter registration and PIS), addresses and phone numbers, schooling, kinship and birthday, vehicle data (including model, color, license plate and chassis number), Income Tax and INSS benefits details, information about companies you are affiliated with (including CNPJ, company name, fantasy name and founding date), photograph and LinkedIn page, credit data (including credit score, negatives and SERASA Mosaic service data) and additional public servant information. The exact content of the data, e.g. address update, can be legally consulted when we know more about the origin of the data, upon request of LGPD rights.
- Change and enforce your passwords and enable two-factor authentication.
With this data leaked, malicious people can try to access online services using your information. Change your passwords, especially in cases where you have repeated passwords in more than one service and have used very weak passwords (for example, including birthday information). Give preference to strong passwords that are random or composed of several unrelated words, which are at least 8 characters long and, if possible, mix letters, numbers and special characters. It is also recommended to enable two-factor authentication services whenever possible to avoid "hijacking" accounts on digital services.
- In this period you will look for the companies, it is not them that will look for you.
With the amount of information leaked, it is possible that malicious people can identify trusted senders for specific people, and then try to make malicious communications by impersonating those senders. Be wary of unexpected emails and SMSs, even from acquaintances - especially if they contain links or attachments. Likewise, be suspicious of phone calls, even when they confirm your data, as this no longer guarantees that you're talking to someone who has them for fair reasons. - Monitor your CPF.
We suggest hiring services and monitoring of inquiries and financial operations on your CPF so that you can quickly notice and contest attempts to move funds on your behalf. Companies such as Serasa Experian and Boa Vista SCPC offer this type of service at competitive prices. Some financial applications, such as the Guiabolso application, also offer free, simplified versions of these services. - Consider additional measures for your personal safety.
If you consider yourself to be someone who is particularly targeted - for example, a director of a large company, an influential or high-profile entrepreneur, or has assets or financial movement - this is the time to redouble your attention with your safety habits.
Our privacy and personal data protection team is following up on existing information about investigations and developments in the case and will bring further comments as soon as possible.
We are available for questions and clarifications in the e-mail: [email protected].
