Cybernews research revealed a publicly accessible Elasticsearch instance, which contained a staggering amount of private data belonging to Brazilian individuals.
Elasticsearch is a commonly used tool for the search, analysis, and visualization of large volumes of data. The leaked data was not linked to a specific company or organization, preventing Cybernews from identifying the source of the leak.
The cluster, located on a cloud server, contained the data with full names, dates of birth, sex, and Cadastro de Pessoas Físicas (CPF) numbers. This 11-digit number identifies individual taxpayers in Brazil.
The leaked data contained more than 223 million records, which implies that the entire Brazilian population might be affected by the leak.
While the data is no longer publicly available, in the hands of a malicious actor, the exposed data could have been misused for identity theft, fraud, and targeted cybercrimes. This could have resulted in financial losses, unauthorized access to personal accounts, and other severe consequences for the individuals affected.
The massive scale of the leak amplifies the potential impact. Previously, Cybernews reported massive leaked data sets allegedly belonging to governmental entities being sold online.
If you want to know more about other massive data leaks take a look at the original post at CyberNews:
https://cybernews.com/security/brazil-data-leak-cpf-card/
About the author: Paulina Okunytė, Journalist at CyberNews
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Brazilian individuals data leak)