The company stated that the event involved registration data, such as name and CPF, without any compromise of passwords, payment methods or financial records
The iFood application reported this Wednesday (03) that a user data leak was recorded in December 2025 that affected around 2% of its base, that is, around 1.2 million people. According to the company, the cyber attack was quickly contained. iFood stated that the event involved registration data, such as name and CPF, without any compromise of passwords, payment methods or financial records, and that the leak was an isolated incident, quickly neutralized by its security protocols.
The company reported that it did not report the leak to the National Data Protection Authority (ANPD), as the event does not entail any relevant risk or damage to data subjects, as defined by the agency’s criteria. In a note sent to Estadão, the ANPD confirmed that it did not receive communication of a security incident involving iFood, but that requested the necessary information, and said that the General Data Protection Law (LGPD) determines that the data controller communicates to the ANPD and the holders of personal data, within three business days, security incidents that may pose a relevant risk or damage to the holders.
According to the agency, the risk assessment must consider, among other factors, the nature of the affected data, the volume of impacted holders and the potential effects resulting from the incident. Even in situations where there are still doubts about the extent of the risks and damages involved, the controller must adopt appropriate preventive measures.
O cybersecurity website Dark Web Informer, which monitors dark web forums, reported that last week a user of Breach Forums, a hacking community, claimed to have stolen data from 43.8 million iFood users. THE hacker claimed that he had obtained CPFs, full names, emails, telephone numbers and credit card dataand asked the company to contact him by June 10 to pay an unspecified amount.
O iFood denied that the leak was of such magnitudereaffirming that 1.2 million were affected and that only registration data had been leaked, without any compromise of other information.
