iFood confirms data leak of 1.2 million app users

The iFood application reported this Wednesday (3) that a user data leak was recorded in December 2025 that affected around 2% of its base, that is, around 1.2 million people. According to the company, the cyber attack was quickly contained.

iFood stated that the event involved registration data, such as name and CPF, without any compromise of passwords, payment methods or financial records, and that the leak was an isolated incident, quickly neutralized by its security protocols.

The company reported that it did not report the leak to the National Data Protection Authority (ANPD), as the event does not entail any relevant risk or damage to data subjects, as defined by the agency’s criteria.

In a note, the ANPD confirmed that it did not receive communication of a security incident involving iFood, but that it requested the necessary information, and said that the General Data Protection Law (LGPD) determines that the data controller must communicate to the ANPD and the holders of personal data, within three business days, security incidents that may pose a relevant risk or damage to the holders.

According to the body, the risk assessment must consider, among other factors, the nature of the affected data, the volume of data subjects impacted and the potential effects resulting from the incident. Even in situations where there are still doubts about the extent of the risks and damages involved, the controller must adopt appropriate preventive measures.

The cybersecurity website Dark Web Informer, which monitors dark web forums, reported that last week a user of Breach Forums, a hacking community, claimed to have stolen data from 43.8 million iFood users.

The hacker stated that he had obtained CPFs, full names, emails, telephone numbers and credit card data, and asked the company to contact him by June 10 to pay an unspecified amount.

iFood denied that the leak was of such magnitude, reaffirming that those affected were 1.2 million and that only registration data had been leaked, without any compromise of other information.