Massive Brazilian Data Breach

I think this is the largest data breach of all time: 220 million people. (Lots more stories are in Portuguese.)

EDITED TO ADD (2/11): I seem to be conflating two stories, one current and one from last year. The current massive leak from last week is the Brazilian equivalent of the Equifax leak, and someone is selling the private information.

Posted on January 26, 2021 at 6:15 AM12 Comments


Goat January 26, 2021 9:09 AM

If this rapid digitalisation continues unchecked India may well make it “so far” instead of “all time”

gus January 26, 2021 1:27 PM

Bruce, you’re mixing two massive leaks. One was from last year, and the information wasn’t being sold online (AFAIK). The massive leak from last week is the Brazilian equivalent of the Equifax leak and someone is selling out more private information (37 more types) as a service.

David Rudling January 26, 2021 1:30 PM

I agree. Unless something happens to drastically alter the trajectory of global personal data digital capture and storage – and I see no sign of it – then out of a global population of 7.8 billion (as estimated at March 2020) a data breach of a paltry 243 million is unlikely to hold the record for very long.

Ollie Jones January 26, 2021 6:07 PM

Interesting. Somebody left some credentials embedded in source code. !!

Github shrieks at you if you try that now. So does Gitlab. But these guys concealed them in some base64 string.

Infosec these days is shockingly brittle.

Oscar Wilde January 26, 2021 9:54 PM

This is peanuts. There is a criminal organization in Brazil using NSO Group’s Pegasus to infect devices for hack for hire, to incite terrorism, blackmail people, produce illegal pornography and assist in assassinations. They also have other advanced malware, like UEFI implants and even persistent implants for Kindle and Raspberry Pi. Plus face/voice recognition on every camera and microphone they can get into, in public or private places.

Brazil won’t do anything to stop them. Only the FBI, CIA and NSA can stop them.

There is also the possibility that they were engaged on the hack of Bezos’ smartphone.

If you know of any security researcher who wants to reverse engineer the exploits they are using, I am more than willing to help them.

If you want a story about how they operate, I am willing to work with you to expose them.

Freezing_in_Brazil January 28, 2021 9:23 AM

Serasa/Experian was notified yesterday by the Sao Paulo state customer watchdog to officially present their explaining of the leak. Last tuesday the company had said that, “upon detailed analysis carried out to this date, we conclude that Serasa/Experian is not the source of the leak. We also do not see evidence that our systems have been compromised”.

@Oscar Wilde

Unless you have credible info to support you claim, I personally don’t see the involvement of such criminal organization. I don’t think the OrgCrime down here is mature enough to be interested in the data business or sophisticated enough to incite terrorism, blackmail people, produce illegal pornography and assist in assassinations.

But, of course, I could be wrong.

Rodolfo January 29, 2021 12:44 PM

My question is, where did the information came from? If it wasn’t from Serasa Experian who can have such databse? this must have been from the government itself

Nelson Novaes January 31, 2021 2:52 PM

Don’t panic 🙂 I would like to share with you new MIT research regarding this kind of incident. We’ve mapped more than 22 billion of leakage records. A lot of detail inside the paper: Developing a Global Data Breach Database and the Challenges Encountered –

Abstract: If the mantra “data is the new oil” of our digital economy is correct, then data leak incidents are the critical disasters in the online society. The initial goal of our research was to present a comprehensive database of data breaches of personal information that took place in 2018 and 2019. This information was to be drawn from press reports, industry studies, and reports from regulatory agencies across the world. This article identified the top 430 largest data breach incidents among more than 10,000 data breach incidents.

In the process, we encountered many complications, especially regarding the lack of standardization of reporting. This article should be especially interesting to the readers of JDIQ because it describes both the range of data quality and consistency issues found as well as what was learned from the database created.

The database that was created, available at, shows that the number of data records breached in those top 430 incidents increased from around 4B in 2018 to more than 22B in 2019. This increase occurred despite the strong efforts from regulatory agencies across the world to enforce strict rules on data protection and privacy, such as the General Data Protection Regulation (GDPR) that went into effect in Europe in May 2018. Such regulatory effort could explain the reason why there is such a large number of data breach cases reported in the European Union when compared to the U.S. (more than 10,000 data breaches publicly reported in the U.S. since 2018, while the EU reported more than 160,0001 data breaches since May 2018). However, we still face the problem of an excessive number of breach incidents around the world.

This research helps to understand the challenges of proper visibility of such incidents on a global scale. The results of this research can help government entities, regulatory bodies, security and data quality researchers, companies, and managers to improve the data quality of data breach reporting and increase the visibility of the data breach landscape around the world in the future.

Nelson Novaes

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.