A database containing details of 92 million Brazilians has been put up for sale on the dark web and is being auctioned at $15,000 and above.
According to a report from Bleeping Computer, the auction is led by a threat actor registered with the name X4Crow. The offer was presented on numerous underground markets, which can only be accessed via an invitation from someone in the community or by paying a registration fee.
As claimed by the seller, the database contains names, dates of birth, and taxpayer IDs of about 92 million “almost all Brazilian citizens.” Measuring 16 GB and in SQL format, the leaked records are said to be separated per province.
“BleepingComputer received a sample of the database and was able to verify that the information on individuals is accurate and also included the mother’s name and gender. We used the CPF lookup service on the Brazilian Federal Revenue website, which also provides the year of death in the case of deceased persons,” an article from BleepingComputer wrote.
“Although the origin of the cache is not revealed in the seller’s announcement, BleepingComputer was told that it is a government database,” it added.
According to the threat actor, putting as little as full name, taxpayer ID, or phone number of the victims can allow third parties to retrieve data present in national identification documents, including ID cards and driver’s licenses of the victims.
Moreover, other personal details, such as contact numbers, previous addresses, email addresses, profession, education level, relatives, neighbours, license plates, and vehicles may also be included in the leaked report.
“There is no guarantee that all the details will be retrieved for all individuals but the report may provide, on average, 80% of the specifics listed above,” Bleeping Computer claimed.
The newly-discovered auction comes as the latest addition to the list of massive data breaches affecting millions of citizens across different nations. In September this year, detailed information of about 20 million people in Ecuador has been leaked online. This was followed by Russia earlier this month, with about 20 million Russian tax records exposed online.
“Organizations and governmental bodies need to consider going above and beyond the security measures recommended as standard practice, or they will find themselves unprepared,” quoted Forbes from senior director of technical services at Tripwire, Paul Edon. “When retaining this kind of data, it is critical to choose an encryption solution that not only protects the database instances but also provides protection for data in transit and at rest,” he added.