The Brazilian delivery giant iFood has officially confirmed a data breach affecting approximately 1.2 million customers, which represents 2% of its total user base. According to the company, the compromised information includes registration details such as names and CPF numbers, though they maintain that no passwords or financial data were exposed during the incident.
The confirmation follows a period of conflicting claims by cybercriminals who initially boasted of stealing data from over 43.8 million accounts. While the investigation is ongoing, several key technical details have emerged regarding the possible nature of the attack:
- The breach may have originated from the SIRA system via an exploited IDOR (Insecure Direct Object Reference) vulnerability.
- Attackers claim to have maintained access for roughly three months using a compromised police account.
- The hackers have set a deadline of June 10 to conclude negotiations before potentially releasing further info.
Despite the criminal group's claims of having access to tens of millions of records, iFood maintains the scope is limited to the identified 1.2 million users. Security experts note that IDOR vulnerabilities are particularly dangerous as they allow unauthorized access to database objects by simply manipulating input, highlighting a critical need for robust access control verification in large-scale platform architectures.
