Misconfigured cloud server exposed taxpayer ID numbers of 120 million Brazilians

• A misconfigured Apache server containing CPF numbers of nearly 120 million Brazilians were exposed for an unknown period of time.
• The exposed CPF’s were linked to people’s sensitive information such as names, birth dates, emails, phone numbers, addresses, employment details, and more.

A publicly accessible web server, that was not properly configured, exposed the Cadastro de Pessoas Físicas (CPF) of over 120 million Brazilians. CPFs are an identification number issued by the Brazilian Federal Reserve to Brazilian citizens and tax-paying residents.

The exposed CPF’s were linked to people’s sensitive information such as names, birth dates, emails, phone numbers, addresses, employment details, bank account details, loans and repayment history, debit and credit history, voting history, voting registration numbers and more.

What happened?

According to security researchers at InfoArmor, an Apache web server, which was publicly accessible, was discovered in March 2018. Within the database, the default file “index.html”, was found renamed by someone to “index.html_bkp,” which caused the web server to do a directory listing of the files stored in that folder. These files are data archives ranging in size from 27 MB to 82 GB.

While InfoArmor was attempting to determine the owner of the server in order to notify them, the research team observed that an 82 GB file was later replaced with a raw 25 GB .sql file, though its filename remained the same.

In April 2018, InfoArmor researchers attempted to contact one of the email addresses registered to one of the hosts of the SQL. However, the email bounced back to them with ‘user unknown’. After two more attempts to contact the hosts, the research team received a reply from the hosts that “they had notified their customers about the legal issues of leaving such data exposed, yet the data remained exposed online for several weeks thereafter.”

Finally, later that month, the leaky server was secured. What was originally misconfigured to be accessible by IP address was reconfigured as a functional website with an authenticated alibabaconsultas.com domain that redirected to its login panel.

“Although InfoArmor cannot be sure that alibabaconsultas.com was responsible for
the leak, it appears they were somehow involved, likely in a hosting-as-a-service function,” InfoArmor concluded.

“It is safe to assume that any intelligence organization or cybercrime group with reasonable collection capabilities and expertise will have captured this data. This data could very likely be used against the population of Brazil, the nation of Brazil, or any nations hosting people who have a CFP,” the researchers wrote.