The Premise News
Technology

iFood Data Breach Exposes 1.2 Million Users; Company Declines Direct Notification

Victória dos Santos de Sá
iFood Data Breach Exposes 1.2 Million Users; Company Declines Direct Notification Direitos autorais: Rafael Henrique | Dreamstime.com

iFood has officially acknowledged a data breach that exposed personal information of 1.2 million users. The incident, which occurred in December 2025, was described by the company as isolated and quickly contained. According to the firm, only about 2% of its total customer base was affected. The disclosure came in an official statement released on Wednesday, June 3, 2026.

Security Incident Details Revealed

The exposed data includes full names and CPFs of affected users. However, the company assures that no account login credentials, such as passwords, were compromised. Payment method details, financial records, and banking information also remained unharmed. The firm states that there is no evidence transactions on the platform were accessed improperly.

Legal Grounds for Non-Notification

iFood said it followed protective measures in line with the General Data Protection Law (LGPD). The case was handled according to current legislation. The decision not to formally notify users was based on an assessment that the incident posed no relevant risk or damage. The company cited regulatory criteria defined by the National Data Protection Authority (ANPD) to justify this posture.

Expert Concerns Over Data Sensitivity

Digital security experts warn that exposure of names and CPFs can open doors to social engineering scams. Although passwords and financial data did not leak, the CPF is a sensitive piece of information. iFood maintains its position that no relevant harm occurred. The choice not to communicate could spark debate about risk criteria adopted under the LGPD.

Customer Guidance and Unknowns

The company has advised customers to distrust unofficial messages that may circulate about the incident. iFood stressed that any legitimate communication will come only through its official channels. It has not said whether it will individually notify the 1.2 million affected users. So far, there is no information on the breach's origin or the attackers responsible.

In its official note, the firm did not detail whether the breach was reported to the ANPD or other authorities. The company reaffirmed that all communications are made exclusively via its official channels. The lack of individual notification may leave many users unaware of their exposure. This silence creates a gap in consumer ability to respond proactively.

The Premise News Editorial View: This leak exposes a fragility in how companies interpret the LGPD. iFood chose not to inform clients, citing absence of relevant risk, but exposure of CPFs and names is itself sensitive data that can be used for fraud. At stake is consumer trust in digital platforms and the effectiveness of self-regulation. The tension between due transparency and technical compliance with the law reveals a gap in practical data protection. Users should remain alert to suspicious contact attempts in the coming days, especially those using name and CPF as bait. The lack of formal notification could hinder those whose data was exposed from reacting. Ultimately, the case serves as a reminder that even without immediate financial harm, privacy is an asset that demands greater corporate responsibility.

What did you think?