The Cadastro de Pessoas Físicas (CPFs) is a taxpayer registry identification for Brazilians – In this case, 120 million CPFs were exposed online.
The IT security researchers at InfoArmor’s Advanced Threat Intelligence team discovered a treasure trove of personal sensitive data belonging to over 120 million Brazilians exposed on an unprotected AWS (Amazon Web Service) S3 cloud storage bucket.
The data according to InfoArmor’s report [PDF] included 120 million unique Cadastro de Pessoas Físicas (CPFs). CPFs are an identification number issued by the Brazilian Federal Reserve to Brazilian citizens and tax-paying resident aliens.
However, it didn’t end here. Each CPF was linked to its owner’s bank account that further exposed their details such as full name, email address, physical address, date of birth, phone numbers, employment, loans, credit or debit history, repayments, voting registration numbers, voting history, family contacts, and contract amounts.
The data breach was identified in March 2018 during a routine scanning for compromised machines but the company only shared its details this week.
“What was originally misconfigured to be accessible by IP address was reconfigured as a functional website with an authenticated alibabaconsultas.com domain that redirected to its login panel. Although InfoArmor cannot be sure that alibabaconsultas.com was responsible for the leak, it appears they were somehow involved, likely in a hosting-as-a-service function,” InforArmor said.
It is noteworthy that over the last couple of years, there have been a number of cases involving unprotected AWS buckets exposing confidential data to the public including 100GB of Classified NSA Data and files exposing US Military’s social media spying campaign.
“With the mad rush to share tenant cloud services, we are seeing a tremendous amount of leaked data that is potentially 10 times greater than actual threat actor activity,” says Christian Lees, a chief intelligence officer at InfoArmor.
InforArmor believes that the data could have been accessed by a malicious party. On the other hand, the company also informed the website administrators about the data breach who took over a month to secure the data. At the time of publishing this article; the exposed website was displaying “website coming soon” banner.
“It is safe to assume that any intelligence organization or cybercrime group with reasonable collection capabilities and expertise will have captured this data. This data could very likely be used against the population of Brazil, the nation of Brazil, or any nations hosting people who have a CFP,” InfoArmor concluded.
This is not the first time that personal details of Brazilians have been exposed online. Last week, an unsecured server leaked personal details of 32 million Sky Brazil subscribers. In August this year, personal data of 264,000 users were exposed after a popular Brazilian crypto exchange suffered a data breach.