The Brazilian blog "Tecnoblog" has the full details here[1], with a list of all the information allegedly included in this data. If they are correct that's pretty much everything about everybody... I mean personal info (like addresses and phones, family, education, employer), financial info (like bank accounts, salary, credit score, creditors, bounced checks, whether receiving government assistance), other background info... for some entries (over a million) there even mugshots!
Yes. The hacker has a contact email where you can send queries using the CPF (unique for each Brazilian) of whoever you want. He'll then send you a bitcoin address for payment and send you back the info.
I’ve already had to reward the government and credit bureaus to get access to my data. I don’t see anything too different about rewarding this hacker just because the law doesn’t bless this sort of data extortion like it does the rest.
Would it? Hacking on the internet is pretty much immune to conventional systems that keep people honest, like being able to be caught and prosecuted or social norms. I think it's more useful to see hackers as like a force of nature to defend against but which it's useless to try to do any moralizing about. The more hacking that happens, the more secure computers will (hopefully) be made in defense, and the less vulnerable to future hacks. Hopefully it's not an endless arms race and eventually we figure out standard ways to keep things secure as a result.
Even tough it's sound pretty bad and big (and it is), this is not new to brazilians. It's a known thing that you can buy DVDs (yes, DVDs) with personal data from millions of Brazilians customers on the streets of Sao Paulo. Daylight market (called Camelo's).
There was some news articles about it a few years ago. Even the former president data was there. Social Security Number (not as secret as it is in the US and Canada), address, name, phone number. Even some family relations. It was pretty cheap.
This leak is much more harmful. If the data really comes from Serasa Experian, they have more accurate and structured data from people/companies/assets in Brazil than anyone else.
Man, why can't we get some useful data leaks? Like all the records from companies incorporated in DE, or all the tax records from companies and rich people or another one from offshore account havens.
> At the time of her death, Daphne Caruana Galizia was facing 48 libel suits.
> On 16 October 2017, Caruana Galizia was driving close to her home in Bidnija, when a car bomb placed in her leased Peugeot 108 exploded, killing her instantly. The blast occurred on Bidnija Road, and left the vehicle scattered in several pieces across nearby fields.
I would assume the companies working on those accounts care more about security than the company working for average citizens. They can actually go out of business and see consequences after being hacked as opposed to, say, experian.
> According to the experts, who use artificial intelligence techniques to identify malicious links and fake news, the leaked data contains detailed information on 104 million vehicles and about 40 million companies, potentially vulnerable to 220 million people.
Thanks, finally somebody telling what data is on the leak.
> Information on the more than 104 million vehicles reveals important details, such as chassis number, license plate, municipality, color, make, model, year of manufacture, engine capacity and even the type of fuel used. In the case of legal entities, the following were leaked: CNPJ, corporate name, trade name and date of foundation.
Every piece of information on this list is either plainly visible (for cars) or published by the government.
The article talks about data of real people (not companies), but doesn't say what leaked about them.
This link [0] may have the information you are looking for.
The link above seems to be from an unrelated breach, the one discussed in the OP affects pretty much everything, not even your LinkedIn profile managed to escape.
> The article talks about data of real people (not companies), but doesn't say what leaked about them.
Personal data (CPF, Birth day and so on), credit scores, social class, acquisitive power, and other informations that a company specialised in credit score have. (the leak is probably from a credit score company).
> Every piece of information on this list is either plainly visible (for cars)
Nope, engine capacity, fuel type and year of manufacture are generally not visible on a car; the VIN is also not always publicly visible (in Europe, I don't know how the regulations are in Brazil).
What makes this database dangerous is its value for criminals in aggregated form... it's enough data to forge a car title, and assuming that there is another database that links VINs to individual people (either from the government or from a hacked bank), it now is possible to identify targets for a break-in attack.
I don't see how it can be new. When I lived some years in Brazil (around 1999-2001), and you could buy at a specific street in Sao Paulo, a CD with all the taxes information from every brazilian citizen.
I remember seeing the news, years ago, that a guy was trying to discover were spammers were getting his email. So he created a bunch of emails for different things.
Guess which email started receiving spam very quickly? Yeah, the one he used for taxes
I've been doing this for exact 20 years this week. I always use a unique address for each site (pretty easy; I just use a wildcard domain).
Pretty much everything has been leaked: most retailers, software companies, all phpBB forums, wordpress blogs, Experian, Amazon (3P Sellers, not AMZN itself), Dropbox, LinkedIn. The list goes on and on.
A better option than a wildcard domain with spam filtering is a server where there is zero spam filtering and each unique address goes to a unique folder. Then you have much more opportunity to detect leaks to spammers.
I remember in the 90s when we thought it was funny to sign people up for every newsletter we could find. You could basically destroy someone's email address making it forever unusable by spending an hour signing up for junk.
I was born dual US/Brazil and left Brazil just after turning 18 about 36 years ago, wondering wondering whether I'm in the leak and whether anyone could use my info to open illicit bank accounts, etc. I don't want to be associated with money-laundering, and am too far in headspace from financial-institutions/credit-bureaus to check it out.
I think there are extra fees as a foreigner. You are not prohibited of having a bank account, insurance, using credit, etc. But most systems will prevent the CPF of being used without some sort of special approval.
> “No, we have bigger problems than that to worry about.”
Pretty much that. In the "Maslow's pyramid of government-related needs", the doxxing is near the top. People are much more worried with stuff like not dying to covid, not being kidnapped, not dying in traffic, paying the dreaded Boletos (bills), etc. Internet doxxing is dwarfed by the more urgent needs. Brazilians are also sure that exactly zero things are going to be done about these leaks. Some government representative is going to say "we're going to investigate" and that's as much as we're going to get.
This says that it leaked Brazilians' name & CPF numbers.
CPF being the number that people give to every random shopkeeper to enter that tax lottery. So, it's... not exactly a big secret. To do most official-type things you have to go down to the cartório with your actual ID, not just enter the number.
Heck, I've been to places where you had to use one to use the free wifi. Granted, in that particular case, it didn't care if you used someone else's. I wouldn't be surprised if that was also true, elsewhere, honestly.
I'm sure someone will find ways to misuse this but Brazil has bigger problems. Also, this doesn't seem to be a leak of government data, it looks like it came from Serasa Experian or one of its contractors.
So yeah, I tend to agree with you. If the government does something, it will probably be like that law posted on every elevator warning you to check that there's an actual elevator there, instead of just walking into the empty shaft. For those curious, that'd be lei estadual n^o 9.502 de 11/03/1997 - https://www.al.sp.gov.br/norma/?id=9419
Not just CPF and names were leaked, lots of correlated information was leaked too, such as credit scores, civil status (married, single, etc), gender, birth date, e-mail, phone number, home and work addresses, education level, job, salary, net income, tons of data about bank accounts, even face pictures!
All that data, just available for anyone to dig in and do their worst.
”This number is super secret and you must guard it with your life and never share! Oh also write it down on every semi-official form, send by paper mail, and enter into all sorts of webapps”
Sure, the SSN is used a lot but it's normally more for things on the level of bank accounts or signing up with a new employer, where there's some serious investment and need to validate your identity. When you enter it into a website, it'd better be for an important reason.
The CPF is something you might use at the grocery store when buying a piece of fruit in the hopes of winning 1000 BRL from the government for helping the store prove that it's paying its taxes. Go to SP and every shop will ask "CPF na nota?" True, you can just answer "não obrigado/obrigada" but from what I saw, most people give it out.
You just don't see that same level of usage in the USA. You're not going to wander into some store and have the shopkeeper ask for your SSN as soon as you get to the counter.
I dont bother being secretive about SSN, its security theatre. The person in earshot has a lower likelihood of bothering with it when every service provider that also has it will get mass hacked and are the primary targets.
I use a separate TIN or EIN (Tax/Employer Identification Number) where I can. All my businesses have one, even a sole proprietorship that exists purely in your head can obtain one, and this can go on many forms.
Interesting, if you get paid on another TIN does it effectively become your main SSN? What about at retirement time? Would like to hear more about this.
“Effectively become your main SSN” no but loaded question. less places would have your ssn or tin. the only difference it really makes is peace of mind and relying on the current reality that hackers aren't targeting you or anyone specifically and you will have an additional way to verify yourself if someone did try to do identity theft or whatever you’re worried about. Online People databases will still be reporting pieces of your older SSN while you have been primarily giving services a different number.
retirement time isnt a problem. if your business is getting paid and the person that pays needs your tin/ein then thats what they get instead of your ssn. You are still paying self employment taxes contributing to retirement.
EINs don't accumulate Social Security, but when you file taxes you'll pay "self-employment tax" on earnings from that "business" and those go to your personal SS account.
When you use an EIN you're basically claiming to act as a business. For some cases, you can do that just fine. But a lot of SSN requests for identification or credit checks it won't work. And anyone who cares that it's a SSN vs a TIN can figure that out easily.
> In America, you don't give your SSN to your utility company
You do where I am, because they run a credit check to determine whether you need to pay a deposit.
Legally is not supposed to be used for identity at all, except for Social Security (and IRS) purposes. But in practice that doesn't happen and it's not particularly secret. Used to be pretty common for people to include it on their pre-printed checks. When I was in college it was used as the student ID number. This was all before "identity theft" was really a thing people worried about.
But SSN should not really intended to be secret. It is not designed to be a proof of identity, but so many companies have treated it that way that it gives more access than it should. If we could prevent companies from using it like a password, it would no longer be a major risk to have it exposed.
The CPF is quite annoying as a tourist. Mostly there are workarounds, but it is ridiculous how many things assume you have one. Yes, fake ones usually work. It was a few years back when I visited, but the hoops I had to jump through to buy an internal flight was unbelievable. I mean, the idea that a non-resident might want to travel within the country on a budget airline right??
Yeah, I hear you. Technically, anyone can get one, though I believe it comes with some annoying tax obligations, so it's not really something one would do as a tourist.
At least it's not as wonky as our identity card number. For those who don't know, since our identity cards are emitted by the state governments, instead of the federal government, in theory a single person can have 27 different identity cards, one for each of the 26 states plus the federal district; all of them are valid in the whole country (and beyond, since some Mercosul treaties allow using the identity card instead of the passport).
Oh, no. It seems much more useful than that. By knowing credit, salary, age, and address... it's much easier to target high "value" targets for for on-line, or more likely in Brazil in person burglary or home invasion. This also gives cover to individuals banks and other organizations to drain large accounts by "guessing" passwords, since now it could be "anyone".
Like Covid, this is likely to be another generational wealth transfer event. It will be interesting to see how much stays in the country, but I expect most of it will.
We must live in very different parts of Brazil because around these parts no one seems to care about Covid, which doesn't surprise me considering the message we get from the federal government.
Another month another set of news that can be solved by NOT storing all the data in one place by one company. But for that we need better software. This article is literally like The Onion article about guns. Maybe we should put it with names changed every few months:
I would argue that if anything, in our current world of privacy and anonymity-indifferent lawyers, regulators, policy makers, corporate heads and most members of the general public, things like this and the hackers behind them perform a sort of obscene public service in a way: They make everyone at least somewhat leery about trends towards so much of our private lives falling into too many databases, especially when said data is highly personal, financial, medical or location-based (and thus especially compromising in certain contexts)
The reason why? While lawmakers, politicians and corporate heads couldn't give less of a shit about the average joe's privacy, they know that it's increasingly difficult even for them and their own families to stay private from too-pervasive, intrusive data collection, and they also now see ever more often just how near impossible it is to make said data stay secure from mass public leaks. Oops... Their own "optimization" obsessed nosiness maybe biting them back bit by bit.
It would be perversely amusing to see the head of some bullshit ad tracking firm, or bottom-feeding user data reseller, or the head of a snooping social network have their own dirty laundry leaked all over the web for all to see.
It's much worse than that. The leak contains dozens of datasets (relatives, addresses, jobs (+ linkedin), schools, vehicles, income, debts, pictures of faces, companies).
That won't happen until companies are held liable for damages caused by inadequate authentication processes.
If a bank gives a credit card to someone who says they're me, based on only on my SSN, I don't see why that should be my problem. It's between the bank and whomever they gave the card to. If they don't know who they actually gave it, well then it sounds like they need to improve their process.
But it becomes my problem because it's my credit score that gets ruined.
Deepfakes are not yet that good for live video, but you are right, using an open authentication standard that can be transferred between devices would be the only good solution at this point.
Companies and governments could verify me live to authenticate my public keys.
I can just imagine the future: Instead of reading stories of Identity Theft, we'll read about people getting locked out of their identity .. like the folks today who lose their Bitcoin keys.
"Of course, you can always pay a recovery company to get your identity back. But, that's expensive--more than most people have. The company will do it on credit (if they like your prospects), but then they have title to your identity until you pay them back, which, for many, is a day that never comes. The charges, service fees, garnishments, and interest on the above just add up and up."
It makes for an effective gloomy sci-fi atmosphere, but does it really make sense? What's stopping someone from starting a better recovery company that actually gets the job done and doesn't do it on credit but for a fee? Incentives are not aligned if I have to pay interest because then the company has no reason to actually recover the identity
I don’t believe that the phone book was an immoral institution, no. Or the county register of deeds, or the vital statistics office, or the school directory, or the voter registration rolls, or the court records.
Privacy is important, there are things that must be kept confidential, but the basic facts of a person’s existence are not necessarily among them.
Companies? How about your government? I have a coworker who had returns filed against them by someone in prison! If that does not startle people how about that in some states absentee votes are merely verified against a signature on file.
What we need is a means that others can be sure it really is us and we can sure that actions we have taken are credited to us and those we did not are not.
In effect we will need a system by which we have instant notification; similar to how some CC providers mail or text you each transaction; and historical tracking so that we can prove when we did or did not.
However there are not many unique methods to physically identify people short of dna transfer. I know that people bring up Minority Report whenever facial recognition comes up but that wasn't the tech they used, they used iris recognition.
So we break down each action and assign a value to how secure and verified it must be and work our way up from there. Similar to how self driving cars are defined, on a level of one to five how secure must an action be before its accepted
I don’t see much difference between companies and governments, that’s why having an authentication standard that is accepted by all of them (and users as well) is important.
Some humans are likely completely off grid and not on record anywhere.
Quite a few, including a good percentage of my relatives.
One is particularly good at it. Aside from the wages his employer reports to the federal government, property ownership records, and an SSN, he simply doesn't exist.
His get paid each week in cash. Doesn't have a bank account or credit card. Because of his lifestyle and the type of vehicle he uses, he doesn't need a driver's license, registration, or insurance. His home has solar panels, a propane generator, and a well, so no utilities. I don't know what he does about trash service, but having seen the town, I wouldn't be surprised if it's still legal to burn your garbage on your property.
He's happy. Not paranoid that I can tell. He just lives a simple life where satisfaction comes from reading books and improving his mind, and not from hoarding electronic gadgets and social media thumbs to prove his worth.
Articles about breaches rarely if ever contain a link to the actual data. I'm left trusting the journalist, who may or may not be tech literate. Even a random sampling of the records would be more illustrative than anything these bloggers post about.
I don't see how your comment is anything more than FUD.
The leaked information suggests it may have come from Serasa Experian [1], although they deny it, or some third-party that provides services to them. I haven't seen any evidence the government has anything to do with this.
The original comment is likely a troll, but the current goverment did place a bunch of amateur hacks on the highest positions of power, which led to things like the minister of culture asserting to the public that woman belongs in the kitchen, or that the minister of education asserting in public that the humanities like sociology and history must disappear from the face of earth, and the ministry of environment saying in a leaked video of a presidential meeting that thanks to covid they now had the distraction they needed to kill indians and give the land to soy farmers.
So, even if trollish comment, it is not too removed from truth. I can see how incompetence, cost cuts, corruption and favoritism (he did place all his sons in a trump-like fashion in his cabinet) might have led to this. Not to mention relaxing of oversight and the rule of law which allowed for even more departments (and the private companies working for those) to hold and share this information without concerns.
The previous government (removed illegitimacy in a coup) did place emphasis on digital security. Brazil have safe electronic voting for decades and Brazilians receive a java application by the gov to do their taxes since the 90s. The current gov was elected on the basis of "we will undo everything the last <<corrupt>> government did"
> The previous government (removed illegitimacy in a coup)
Dilma was impeached and removed, Temer finished her term, then Bolsonaro won the election after getting stabbed, and nearly killed, by opposition supporters. I know he's highly controversial, but he did win the election.
The removal of Dilma is not normally what one would describe as a "coup." The military junta from 1969, however, is.
What you are describing is a "hard coup", while in the case of Dilma it was what can be described as a "soft coup"..
Yes the congress followed all the legal proceedings, but in the end they did not proved that the accounting maneuver her government did was illegal and therefore unfit to what could be called as a legal impeachment proceeding.
If you add this to everything that was happening behind the curtains, and history will make this even more clear, yes it was a coup, just that, this is of a different sort.
(BTW a lot of important players of the time are starting to confess everything they did, and how dirty it was)
Imagine that without any legal proof, the legislative chamber can throw out any legitimate president basically nullifying the people wish and therefore, the democracy. Also this will make the legislative power, the most powerful one over the two others, going against the three power(separation of powers) concept of Montesquieu.
That's why the impeachment proceeding cannot be only based in political grounds, but also need a clear legal basis on the government doing something wrong based on the current legal framework.
In the case of Dilma, only the political axis was at play, and a dirty one i must say, where they didn't respect the legal grounds and in the end there was no proof of her wrongdoing's.
> What you are describing is a "hard coup", while in the case of Dilma it was what can be described as a "soft coup"..
That is inventing new words and definitions for your convenience. It cuts both ways, one can say it was a "democratic coup", a "constitutional coup", a "popular coup" (more than 60% of the population in favour), a "coup against tyranny and poverty" (worst reduction in GDP in 120 years), etc.
Listen to one of our most respected historians, https://pt.wikipedia.org/wiki/Daniel_Aar%C3%A3o_Reis , an academic awarded for his work on dictatorship and democracy, who also fought against our dictatorship in a guerrilla war, founded the PT, Dilma's party, and worked in many of the PT governments: it was not a coup.
> Listen to one of our most respected historians ...
Mentioning "O Globo" article from 2016, a news media that was part of the package that severely supported the coup, by constant manipulation of brazil's popular opinion, being one of the most influential TV channels of Brazil. A support that paved the way for Bolsonaro and all the right wing lunatics that are in power right now.
Also "one of our most respected historians", IDK, not from the field, but never heard of him. Maybe i should take from granted something he says over our past, but historians have not the best kind of training to understand the present time, sociologists and philosophers can do much better. Also knowing how 'Globo' works, it must have been hard to find a guy from social sciences that would corroborate with their distorted and manipulated point of view (And some point in time they will have to make a historical repair over all the wrongdoings in this case).
Marco Antonio Villa for instance is a well known historian, but is clearly a right wing supporter, with a clear political view and agenda, despite being against Bolsonaro nowadays. So there's no way to resort to prestige in the field and yet somehow say it have anything to do with objectivity, because we know this is not how it works in real life.
On the other way i can present you a lot of current newspapers pieces that say exactly the opposite. There is a trend now, that even people that supported this in the past, is starting to show a changed opinion about the subject, as the blind hate over Lula or PT is starting to make less sense nowadays, when all this had lead to this suffocating reality we are living.
> Lula, Dilma and her party tried to impeach Social Democrat President Fernando Henrique 45 (forty five!) times.
> By your own definition, they tried 45 coups, making them the biggest coupists in Brasil's history.
Don't know if those are the real numbers, but anyway, taking them for granted, none of them was approved, so it doesnt matter if it was 10, 100 or 1000. You are comparing oranges and apples here.
The only way to be comparable, it would be if one of them got approved, and without any legal grounds being proved, removed Fernando Henrique from his legitimate presidency. Than yes, i would say it would be a "soft coup", because it needs the green light from a lot of important people for this to happen without the right guidance under the law.
Because that's how you cook a coup that have the appearance of legitimacy, but once anyone digs enough, can see the how much it was flawed and corrupted from the very start (for instance, it started as a form of 'Cunha' blackmailing the president to stop the investigations on his corruption cases).
Even if you say the ouster of Dilma was illegitimate, there's the fact that her VP served out the rest of her term, then the party lost the next election. There's no "coup" because there was no loss of power by anything other than the democratic process.
Now of course there have been all sorts of dirty political dealings, those just aren't described by the word "coup." That said, if some day Bolsonaro or others forms a new junta, then I will agree with you at that later time. But that day is not today, unless I am slow in receiving news of a newly formed junta.
with the running candidate jailed with obviously fabricated evidence and released last year with no conviction. All the while with whatsapp campaigns promoting pizza-gate like conspiracies.
> her VP served out the rest of her term
that I fully blame on the party picking an extremely right wing to be able to get elected. But don't make the soft coup less of a coup. The VP was choose to get support from the farmers and religious groups that control most of the interior of the country, and they payed the price for that.
If it does, I didn't get my 50 Mao cents for posting. And you'd think China would support the Partido dos Trabalhadores (Worker's Party) ideologically, but it's their Mao cents, not mine.
Lula was convicted twice, he only got freed from jail because of a new legal ruling that said that you can't be jailed until all appeals have been heard. That's... not the same as "no convictions" even if you want to claim the judges were both biased.
And I'm not aware of anyone accusing Lula of being a pedophile, though maybe someone did? Everything I remember hearing blamed him for robbing Petrobras. You sure you're not getting Lula confused with "João de Deus"? I thought he was the one who was raping people.
Your article refers to the "regime semiaberto" that Lula was offered after completing one sixth of his sentence. This was prior to the Brazilian Supreme Court ruling that released him on 8 November 2019. His case is still pending before the Supremo Tribunal Federal.
Translating: Lula could go on probation but deliberately chose to remain imprisoned because he did not '[...] recognized any legitimacy of the process which condemned him[...]'.
The supreme court then ruled that "you can't be jailed until all appeals have been heard". Only then he decided to get out of prison.
I don't think we're disagreeing with each other at this point. He was only actually freed by the supreme court ruling that he could not be jailed until all appeals (of which there are many) were exhausted.
Regime semiaberto is roughly equivalent to being allowed to go out under house arrest and wouldn't have changed his conditions much.
[1] https://tecnoblog.net/404838/exclusivo-vazamento-que-expos-2...