Alleged breach exposes 39 million records in Brazil
A potential data breach involving 39 million user records from Brazil was announced yesterday, February 4, 2025, on Breach Forums, a community forum for hackers.
The breach is said to have targeted a reporting system for work-related accidents called Comunicação de Acidente de Trabalho (CAT), which is part of the Brazilian National Institute of Social Security.
Breach details
On February 4, 2025, a user named Sorb claimed to have successfully accessed CAT’s databases and leaked 39 million unique records.
The asking price for this entire dataset is $1,800.
The affected data reportedly includes:
| Employee data | Employer data | Institutional data |
| – Employee’s name – Employee’s gender – Personal phone number – Personal email address – Job title | – Employer’s name – Workplace phone number | – CTPS Number – Brazilian work permit number – CTPS Series – Additional identifier for work permits – CAT Number – Work accident report identifier – Document Type (CGC/CNPJ) – Specifies whether the document is for a company or individual – CBO Number – Occupational classification code in Brazil – CPF – Brazilian individual taxpayer identification number – CNPJ – Brazilian company registration number |
The potential consequences for affected individuals could be serious.
Even basic personal details like names, phone numbers, and email addresses can be enough for bad actors to carry out scams using tactics like phishing and smishing, and perform spam attacks.
But when this information is combined with other data, the risks become much greater—not just for individuals, but for their employers too.
Having access to CPF (identification) and CTPS (work permit) numbers, along with other personal details, can lead to cases of identity theft.
Related: Identity Theft Statistics & Facts
Additionally, if bad actors get employer data along with the CNPJ (company registration) number, it could lead to corporate identity theft.
All other documents and data could make fraudsters seem more believable, increasing their chances of successfully defrauding affected individuals.
About Comunicação de Acidente de Trabalho (CAT)
The Comunicação de Acidente de Trabalho (CAT) is a report used in Brazil to notify the government of work-related accidents and illnesses. It ensures that workers get the medical care and compensation they need.
CAT is reported to the National Institute of Social Security (Instituto Nacional do Seguro Social, INSS).
What to do if you’re affected
If you think you or someone you know might be affected by this breach, here are some steps to help protect yourself:
- Change your passwords: Even though no passwords were reported stolen, it’s smart to update them just in case. If you use the same password on different sites, change those too, and make sure each one is strong and unique.
- Contact your bank and credit companies: The leaked data could be used for identity theft, which often targets banks. Let your banks and credit companies know about the breach so they can watch for any unusual activity and tell you what to do next.
- Notify Receita Federal: If you think your CPF might be at risk, contact the Brazilian Federal Revenue Service. They can help you protect it from being misused.
- Watch out for scams: Be careful with emails, calls, and texts, as your contact info might be exposed. Scammers may try to trick you using these details.
- Monitor your accounts for unusual activity: Keep an eye on your bank and credit accounts for anything strange. Catching suspicious activity early can help you fix problems faster.
Stay informed
This incident is still unconfirmed, and the National Institute of Social Security has not yet released an official statement.
We will update this article with any new information to keep you informed.
