[HN Gopher] Giant leak exposes data from almost all Brazilians ___________________________________________________________________ Giant leak exposes data from almost all Brazilians Author : JeanMarcS Score : 230 points Date : 2021-01-25 16:01 UTC (6 hours ago) (HTM) web link (www.somagnews.com) (TXT) w3m dump (www.somagnews.com) | Xunjin wrote: | I'm so proud of my country, we just got the goal, time to double | it. | | And If you ask the politicians to improve security, they will | probably say "put 2 more security guard outside the building". | pelasaco wrote: | I don't see how it can be new. When I lived some years in Brazil | (around 1999-2001), and you could buy at a specific street in Sao | Paulo, a CD with all the taxes information from every brazilian | citizen. | FalconSensei wrote: | I remember seeing the news, years ago, that a guy was trying to | discover were spammers were getting his email. So he created a | bunch of emails for different things. | | Guess which email started receiving spam very quickly? Yeah, | the one he used for taxes | Consultant32452 wrote: | I remember in the 90s when we thought it was funny to sign | people up for every newsletter we could find. You could | basically destroy someone's email address making it forever | unusable by spending an hour signing up for junk. | dang wrote: | Url changed from https://www.databreaches.net/giant-leak-exposes- | data-from-al..., which points to this. | EGreg wrote: | We should literally start making a parody of this article, but on | our blog: | | https://en.wikipedia.org/wiki/%27No_Way_To_Prevent_This,%27_... | | EDIT: I wrote it | | https://qbix.com/blog/2021/01/25/no-way-to-prevent-this-says... | diego_moita wrote: | > vulnerable to 220 million people. | | In a country with 207 million people. This means that even the | dead can't rest in peace. | | On the bright side, we'll not have any data leaks anymore because | there will be no more secrets to leak. :) | Chico75 wrote: | Probably concerns citizens living abroad as well | cuca_de_chumbo wrote: | I was born dual US/Brazil and left Brazil just after turning | 18 about 36 years ago, wondering wondering whether I'm in the | leak and whether anyone could use my info to open illicit | bank accounts, etc. I don't want to be associated with money- | laundering, and am too far in headspace from financial- | institutions/credit-bureaus to check it out. | FalconSensei wrote: | If you declared permanent out-of-country move, you (or an | impersonator) shouldn't be able to open accounts/buy things | - as far as I know. | kinow wrote: | I think there are extra fees as a foreigner. You are not | prohibited of having a bank account, insurance, using | credit, etc. But most systems will prevent the CPF of | being used without some sort of special approval. | [deleted] | atbpaca wrote: | Another embarrassment for Bolsonaro and his minions. #impeachment | andersonvieira wrote: | I don't see how your comment is anything more than FUD. | | The leaked information suggests it may have come from Serasa | Experian [1], although they deny it, or some third-party that | provides services to them. I haven't seen any evidence the | government has anything to do with this. | | [1] https://tecnoblog.net/405077/especialistas-alertam-para- | risc... | rapfaria wrote: | How is this directly related to Bolsonaro? Because it happened | in the country he is president of? | gcblkjaidfj wrote: | The original comment is likely a troll, but the current | goverment did place a bunch of amateur hacks on the highest | positions of power, which led to things like the minister of | culture asserting to the public that woman belongs in the | kitchen, or that the minister of education asserting in | public that the humanities like sociology and history must | disappear from the face of earth, and the ministry of | environment saying in a leaked video of a presidential | meeting that thanks to covid they now had the distraction | they needed to kill indians and give the land to soy farmers. | | So, even if trollish comment, it is not too removed from | truth. I can see how incompetence, cost cuts, corruption and | favoritism (he did place all his sons in a trump-like fashion | in his cabinet) might have led to this. Not to mention | relaxing of oversight and the rule of law which allowed for | even more departments (and the private companies working for | those) to hold and share this information without concerns. | | The previous government (removed illegitimacy in a coup) did | place emphasis on digital security. Brazil have safe | electronic voting for decades and Brazilians receive a java | application by the gov to do their taxes since the 90s. The | current gov was elected on the basis of "we will undo | everything the last <<corrupt>> government did" | Natsu wrote: | > The previous government (removed illegitimacy in a coup) | | Dilma was impeached and removed, Temer finished her term, | then Bolsonaro won the election after getting stabbed, and | nearly killed, by opposition supporters. I know he's highly | controversial, but he did win the election. | | The removal of Dilma is not normally what one would | describe as a "coup." The military junta from 1969, | however, is. | marcodiego wrote: | Not very important, but Temer himself called it a | "golpe": https://www.youtube.com/watch?v=eiW84yYAkQ8 | oscargrouch wrote: | What you are describing is a "hard coup", while in the | case of Dilma it was what can be described as a "soft | coup".. | | Yes the congress followed all the legal proceedings, but | in the end they did not proved that the accounting | maneuver her government did was illegal and therefore | unfit to what could be called as a legal impeachment | proceeding. | | If you add this to everything that was happening behind | the curtains, and history will make this even more clear, | yes it was a coup, just that, this is of a different | sort. (BTW a lot of important players of the time are | starting to confess everything they did, and how dirty it | was) | | Imagine that without any legal proof, the legislative | chamber can throw out any legitimate president basically | nullifying the people wish and therefore, the democracy. | Also this will make the legislative power, the most | powerful one over the two others, going against the three | power(separation of powers) concept of Montesquieu. | | That's why the impeachment proceeding cannot be only | based in political grounds, but also need a clear legal | basis on the government doing something wrong based on | the current legal framework. | | In the case of Dilma, only the political axis was at | play, and a dirty one i must say, where they didn't | respect the legal grounds and in the end there was no | proof of her wrongdoing's. | virgulino wrote: | > What you are describing is a "hard coup", while in the | case of Dilma it was what can be described as a "soft | coup".. | | That is inventing new words and definitions for your | convenience. It cuts both ways, one can say it was a | "democratic coup", a "constitutional coup", a "popular | coup" (more than 60% of the population in favour), a | "coup against tyranny and poverty" (worst reduction in | GDP in 120 years), etc. | | Listen to one of our most respected historians, | https://pt.wikipedia.org/wiki/Daniel_Aar%C3%A3o_Reis , an | academic awarded for his work on dictatorship and | democracy, who also fought against our dictatorship in a | guerrilla war, founded the PT, Dilma's party, and worked | in many of the PT governments: it was not a coup. | | https://oglobo.globo.com/brasil/artigo-impeachment-golpe- | dem... | | Lula, Dilma and her party tried to impeach Social | Democrat President Fernando Henrique 45 (forty five!) | times. | | By your own definition, they tried 45 coups, making them | the biggest coupists in Brasil's history. | Natsu wrote: | Even if you say the ouster of Dilma was illegitimate, | there's the fact that her VP served out the rest of her | term, then the party lost the next election. There's no | "coup" because there was no loss of power by anything | other than the democratic process. | | Now of course there have been all sorts of dirty | political dealings, those just aren't described by the | word "coup." That said, if some day Bolsonaro or others | forms a new junta, then I will agree with you at that | later time. But that day is not today, unless I am slow | in receiving news of a newly formed junta. | gcblkjaidfj wrote: | Does brazil have a 50c army like china now? | | > then the party lost the next election. | | with the running candidate jailed with obviously | fabricated evidence and released last year with no | conviction. All the while with whatsapp campaigns | promoting pizza-gate like conspiracies. | | > her VP served out the rest of her term | | that I fully blame on the party picking an extremely | right wing to be able to get elected. But don't make the | soft coup less of a coup. The VP was choose to get | support from the farmers and religious groups that | control most of the interior of the country, and they | payed the price for that. | virgulino wrote: | > with the running candidate jailed with obviously | fabricated evidence and released last year with no | conviction | | That is factually false, and very very easy to fact | check. | Natsu wrote: | I guess when they said "Lula e Haddad, Haddad e Lula" | people took it a bit too literally? :) | Natsu wrote: | > Does brazil have a 50c army like china now? | | If it does, I didn't get my 50 Mao cents for posting. And | you'd think China would support the Partido dos | Trabalhadores (Worker's Party) ideologically, but it's | their Mao cents, not mine. | | Lula was convicted twice, he only got freed from jail | because of a new legal ruling that said that you can't be | jailed until all appeals have been heard. That's... not | the same as "no convictions" even if you want to claim | the judges were both biased. | | And I'm not aware of anyone accusing Lula of being a | pedophile, though maybe someone did? Everything I | remember hearing blamed him for robbing Petrobras. You | sure you're not getting Lula confused with "Joao de | Deus"? I thought he was the one who was raping people. | marcodiego wrote: | > he only got freed from jail because of a new legal | ruling that said that you can't be jailed until all | appeals have been heard | | Actually Lula deliberately chose to stay imprisoned: | https://veja.abril.com.br/politica/lula-nao-quer-cumprir- | pen... | eznzt wrote: | They are not that far off on sociology lol | afrcnc wrote: | Another one? | | Didn't this also happen last month? | (https://www.zdnet.com/article/data-of-243-million-brazilians...) | rafaelturk wrote: | Brazilian here. Same leak. New info suggest that the files | contained far more info than previously thought. | hezag wrote: | Yep, another one. This time it's from a Credit bureau. | hi5eyes wrote: | https://www.somagnews.com/giant-leak-exposes-data-from-almos... | links to the source of the snippet | | > According to the experts, who use artificial intelligence | techniques to identify malicious links and fake news, the leaked | data contains detailed information on 104 million vehicles and | about 40 million companies, potentially vulnerable to 220 million | people. | dang wrote: | Ok, we've changed to that from | https://www.databreaches.net/giant-leak-exposes-data-from- | al.... Thanks! | marcosdumay wrote: | Thanks, finally somebody telling what data is on the leak. | | > Information on the more than 104 million vehicles reveals | important details, such as chassis number, license plate, | municipality, color, make, model, year of manufacture, engine | capacity and even the type of fuel used. In the case of legal | entities, the following were leaked: CNPJ, corporate name, | trade name and date of foundation. | | Every piece of information on this list is either plainly | visible (for cars) or published by the government. | | The article talks about data of real people (not companies), | but doesn't say what leaked about them. | Fabricio20 wrote: | This link [0] may have the information you are looking for. | | The link above seems to be from an unrelated breach, the one | discussed in the OP affects pretty much everything, not even | your LinkedIn profile managed to escape. | | [0]: https://tecnoblog.net/404838/exclusivo-vazamento-que- | expos-2... | marcosdumay wrote: | Wow, yes, that has the information. That's a really broad | leak. | diegoholiveira wrote: | > The article talks about data of real people (not | companies), but doesn't say what leaked about them. | | Personal data (CPF, Birth day and so on), credit scores, | social class, acquisitive power, and other informations that | a company specialised in credit score have. (the leak is | probably from a credit score company). | geek_at wrote: | Has anyone calculated at the current rate of leaks how long would | it take for every human on earth to be in some of these lists? | xiphias2 wrote: | I treat my face, name, birthday and numbers as open data. | | Maybe companies should stop using these things for verification | and start allowing people to use cryptography more efficiently. | reaperducer wrote: | _I treat my face, name, birthday and numbers as open data._ | | So because you don't value privacy and choose not to control | you personal data, nobody else deserves privacy or to control | their personal data? | danilocesar wrote: | He will change his mind when he realize that the | information his bank uses to verify his identify is part of | his open data now... | dudeman13 wrote: | I don't think he meant it as nobody deserves privacy and to | control their personal data. | | I took it as a "it's there anyway and there's no point for | me to pretend that it is not". | Shivetya wrote: | Companies? How about your government? I have a coworker who | had returns filed against them by someone in prison! If that | does not startle people how about that in some states | absentee votes are merely verified against a signature on | file. | | What we need is a means that others can be sure it really is | us and we can sure that actions we have taken are credited to | us and those we did not are not. | | In effect we will need a system by which we have instant | notification; similar to how some CC providers mail or text | you each transaction; and historical tracking so that we can | prove when we did or did not. | | However there are not many unique methods to physically | identify people short of dna transfer. I know that people | bring up Minority Report whenever facial recognition comes up | but that wasn't the tech they used, they used iris | recognition. | | So we break down each action and assign a value to how secure | and verified it must be and work our way up from there. | Similar to how self driving cars are defined, on a level of | one to five how secure must an action be before its accepted | xiphias2 wrote: | I don't see much difference between companies and | governments, that's why having an authentication standard | that is accepted by all of them (and users as well) is | important. | nkrisc wrote: | That won't happen until companies are held liable for damages | caused by inadequate authentication processes. | | If a bank gives a credit card to someone who says they're me, | based on only on my SSN, I don't see why that should be my | problem. It's between the bank and whomever they gave the | card to. If they don't know who they actually gave it, well | then it sounds like they need to improve their process. | | But it becomes my problem because it's my credit score that | gets ruined. | lotsofpulp wrote: | Everyone has cameras. How a photo of yourself with thumbs | up isn't required is beyond me. It's extremely easy, and | would cut down on a lot of fraud. | Pxtl wrote: | Which would mean you're constantly sending a photo of | yourself with your thumbs up to people, and it becomes | trivial to fake. | | I guess it could be "we need a selfie video of you | reading this 6 digit number aloud". | xiphias2 wrote: | Video verification is completely normal at this point | fastball wrote: | Deepfakes. | xiphias2 wrote: | Deepfakes are not yet that good for live video, but you | are right, using an open authentication standard that can | be transferred between devices would be the only good | solution at this point. | | Companies and governments could verify me live to | authenticate my public keys. | randerson wrote: | I can just imagine the future: Instead of reading stories of | Identity Theft, we'll read about people getting locked out of | their identity .. like the folks today who lose their Bitcoin | keys. | rudyfink wrote: | "Of course, you can always pay a recovery company to get | your identity back. But, that's expensive--more than most | people have. The company will do it on credit (if they like | your prospects), but then they have title to your identity | until you pay them back, which, for many, is a day that | never comes. The charges, service fees, garnishments, and | interest on the above just add up and up." | r00fus wrote: | Where is this from? | Lammy wrote: | I would guess "some time around 2012". | Yizahi wrote: | Any day now. I guess we will have a global info system a-la | Hyperion with zero privacy. It will be suspicious to be absent | from such a system instead. | nicoburns wrote: | It doesn't really work like that. Some humans are likely | completely off grid and not on record anywhere. | reaperducer wrote: | _Some humans are likely completely off grid and not on record | anywhere._ | | Quite a few, including a good percentage of my relatives. | | One is particularly good at it. Aside from the wages his | employer reports to the federal government, property | ownership records, and an SSN, he simply doesn't exist. | | His get paid each week in cash. Doesn't have a bank account | or credit card. Because of his lifestyle and the type of | vehicle he uses, he doesn't need a driver's license, | registration, or insurance. His home has solar panels, a | propane generator, and a well, so no utilities. I don't know | what he does about trash service, but having seen the town, I | wouldn't be surprised if it's still legal to burn your | garbage on your property. | | He's happy. Not paranoid that I can tell. He just lives a | simple life where satisfaction comes from reading books and | improving his mind, and not from hoarding electronic gadgets | and social media thumbs to prove his worth. | fmntf wrote: | Please, do not misunderstand my question as a judgment or | whatever. May I ask the (approximate, country/continent) | location where your relative lives? | kroltan wrote: | A "SSN" was mentioned, so likely U.S. | danilocesar wrote: | Even tough it's sound pretty bad and big (and it is), this is not | new to brazilians. It's a known thing that you can buy DVDs (yes, | DVDs) with personal data from millions of Brazilians customers on | the streets of Sao Paulo. Daylight market (called Camelo's). | | There was some news articles about it a few years ago. Even the | former president data was there. Social Security Number (not as | secret as it is in the US and Canada), address, name, phone | number. Even some family relations. It was pretty cheap. | doubleclutch wrote: | So, CPF is not really a big deal, but I think here you can map | cars based on license plates to persons and companies. Think | about it. | jbotz wrote: | The Brazilian blog "Tecnoblog" has the full details here[1], with | a list of all the information allegedly included in this data. If | they are correct that's pretty much everything about everybody... | I mean personal info (like addresses and phones, family, | education, employer), financial info (like bank accounts, salary, | credit score, creditors, bounced checks, whether receiving | government assistance), other background info... for some entries | (over a million) there even mugshots! | | [1] https://tecnoblog.net/404838/exclusivo-vazamento-que- | expos-2... | malandrew wrote: | Is there a way for someone to look up what leaked about them so | they can determine how problematic this could be? | slig wrote: | Yes. The hacker has a contact email where you can send | queries using the CPF (unique for each Brazilian) of whoever | you want. He'll then send you a bitcoin address for payment | and send you back the info. | ObscureScience wrote: | It would be pretty short-sighted to reward such an | individual. | aww_dang wrote: | Articles about breaches rarely if ever contain a link to the | actual data. I'm left trusting the journalist, who may or may not | be tech literate. Even a random sampling of the records would be | more illustrative than anything these bloggers post about. | doubleclutch wrote: | CPF is not a big deal, but if I read it correctly, you can | basically search people/companies based on license plates, which | is a big deal. | iandanforth wrote: | Man, why can't we get some useful data leaks? Like all the | records from companies incorporated in DE, or all the tax records | from companies and rich people or another one from offshore | account havens. | rightbyte wrote: | Ever heard of the Panama Papers? | dyingkneepad wrote: | > "No, we have bigger problems than that to worry about." | | Pretty much that. In the "Maslow's pyramid of government-related | needs", the doxxing is near the top. People are much more worried | with stuff like not dying to covid, not being kidnapped, not | dying in traffic, paying the dreaded Boletos (bills), etc. | Internet doxxing is dwarfed by the more urgent needs. Brazilians | are also sure that exactly zero things are going to be done about | these leaks. Some government representative is going to say | "we're going to investigate" and that's as much as we're going to | get. | | I would love to be wrong here, by the way. | Kaze404 wrote: | We must live in very different parts of Brazil because around | these parts no one seems to care about Covid, which doesn't | surprise me considering the message we get from the federal | government. | lukasdanin wrote: | Unfortunately, you're not wrong. | kurthr wrote: | Oh, no. It seems much more useful than that. By knowing credit, | salary, age, and address... it's much easier to target high | "value" targets for for on-line, or more likely in Brazil in | person burglary or home invasion. This also gives cover to | individuals banks and other organizations to drain large | accounts by "guessing" passwords, since now it could be | "anyone". | | Like Covid, this is likely to be another generational wealth | transfer event. It will be interesting to see how much stays in | the country, but I expect most of it will. | Natsu wrote: | This says that it leaked Brazilians' name & CPF numbers. | | CPF being the number that people give to _every random | shopkeeper_ to enter that tax lottery. So, it 's... not exactly | a big secret. To do most official-type things you have to go | down to the cartorio with your actual ID, not just enter the | number. | | Heck, I've been to places where you had to use one to use the | free wifi. Granted, in that particular case, it didn't care if | you used someone else's. I wouldn't be surprised if that was | also true, elsewhere, honestly. | | I'm sure someone will find ways to misuse this but Brazil has | bigger problems. Also, this doesn't seem to be a leak of | government data, it looks like it came from Serasa Experian or | one of its contractors. | | So yeah, I tend to agree with you. If the government does | something, it will probably be like that law posted on every | elevator warning you to check that there's an actual elevator | there, instead of just walking into the empty shaft. For those | curious, that'd be lei estadual n^o 9.502 de 11/03/1997 - | https://www.al.sp.gov.br/norma/?id=9419 | ascorbic wrote: | The CPF is quite annoying as a tourist. Mostly there are | workarounds, but it is ridiculous how many things assume you | have one. Yes, fake ones usually work. It was a few years | back when I visited, but the hoops I had to jump through to | buy an internal flight was unbelievable. I mean, the idea | that a non-resident might want to travel within the country | on a budget airline right?? | Natsu wrote: | Yeah, I hear you. Technically, anyone can get one, though I | believe it comes with some annoying tax obligations, so | it's not really something one would do as a tourist. | brwolfgang wrote: | Not just CPF and names were leaked, lots of correlated | information was leaked too, such as credit scores, civil | status (married, single, etc), gender, birth date, e-mail, | phone number, home and work addresses, education level, job, | salary, net income, tons of data about bank accounts, even | face pictures! | | All that data, just available for anyone to dig in and do | their worst. | | Source (pt-br) https://tecnoblog.net/404838/exclusivo- | vazamento-que-expos-2... | rodolphoarruda wrote: | Yes, plenty of data for anyone wanting to impersonate you | and do social engineering virtually everwhere in the | Brazilian territory. | Swizec wrote: | Reminds me of the American SSN. | | _"This number is super secret and you must guard it with | your life and never share! Oh also write it down on every | semi-official form, send by paper mail, and enter into all | sorts of webapps"_ | crazygringo wrote: | But the American SSN, while abused, is still _supposed_ to | be a secret. | | I don't believe the Brazilian CPN is meant to be a secret | at all. It's used for literally everything. | | In America, you don't give your SSN to your utility company | or when signing up for an online subscription. But in | Brazil, you use your CPF to do that. | throwawayboise wrote: | > In America, you don't give your SSN to your utility | company | | You do where I am, because they run a credit check to | determine whether you need to pay a deposit. | | Legally is not supposed to be used for identity at all, | except for Social Security (and IRS) purposes. But in | practice that doesn't happen and it's not particularly | secret. Used to be pretty common for people to include it | on their pre-printed checks. When I was in college it was | used as the student ID number. This was all before | "identity theft" was really a thing people worried about. | vmception wrote: | I dont bother being secretive about SSN, its security | theatre. The person in earshot has a lower likelihood of | bothering with it when every service provider that also has | it will get mass hacked and are the primary targets. | | I use a separate TIN or EIN (Tax/Employer Identification | Number) where I can. All my businesses have one, even a | sole proprietorship that exists purely in your head can | obtain one, and this can go on many forms. | mixmastamyk wrote: | Interesting, if you get paid on another TIN does it | effectively become your main SSN? What about at | retirement time? Would like to hear more about this. | vmception wrote: | "Effectively become your main SSN" no but loaded | question. less places would have your ssn or tin. the | only difference it really makes is peace of mind and | relying on the current reality that hackers aren't | targeting you or anyone specifically and you will have an | additional way to verify yourself if someone did try to | do identity theft or whatever you're worried about. | Online People databases will still be reporting pieces of | your older SSN while you have been primarily giving | services a different number. | | retirement time isnt a problem. if your business is | getting paid and the person that pays needs your tin/ein | then thats what they get instead of your ssn. You are | still paying self employment taxes contributing to | retirement. | jccooper wrote: | EINs don't accumulate Social Security, but when you file | taxes you'll pay "self-employment tax" on earnings from | that "business" and those go to your personal SS account. | | When you use an EIN you're basically claiming to act as a | business. For some cases, you can do that just fine. But | a lot of SSN requests for identification or credit checks | it won't work. And anyone who cares that it's a SSN vs a | TIN can figure that out easily. | Tagbert wrote: | But SSN should not really intended to be secret. It is not | designed to be a proof of identity, but so many companies | have treated it that way that it gives more access than it | should. If we could prevent companies from using it like a | password, it would no longer be a major risk to have it | exposed. | Wowfunhappy wrote: | SSN's aren't really secret--you can find someone's pretty | easily by going to a data broker. | ledialated wrote: | I love being asked to verify my SSN just to access my own | information through an unknown entity that will not | disclose who they are. | Natsu wrote: | Sure, the SSN is used a lot but it's normally more for | things on the level of bank accounts or signing up with a | new employer, where there's some serious investment and | need to validate your identity. When you enter it into a | website, it'd better be for an important reason. | | The CPF is something you might use at the grocery store | when buying a piece of fruit in the hopes of winning 1000 | BRL from the government for helping the store prove that | it's paying its taxes. Go to SP and _every shop_ will ask | "CPF na nota?" True, you can just answer "nao | obrigado/obrigada" but from what I saw, most people give it | out. | | You just don't see that same level of usage in the USA. | You're not going to wander into some store and have the | shopkeeper ask for your SSN as soon as you get to the | counter. | EGreg wrote: | Another month another set of news that can be solved by NOT | storing all the data in one place by one company. But for that we | need better software. This article is literally like The Onion | article about guns. Maybe we should put it with names changed | every few months: | | https://qbix.com/blog | geoffbp wrote: | Sheesh! ___________________________________________________________________ (page generated 2021-01-25 23:00 UTC)