Several questions arose after the leak of 223 million CPFs, among them: how do I know if my document has been leaked? The developer Allan Fernando decided to help by creating the Fui Vazado website, which allows you to check if your personal data – such as your full name, credit score, salary and face photo – were exposed. There is another tool that allows you to check if your company is among the 40 million CNPJs that were also affected.
Website allows to consult if CPF was leaked (Image: Reproduction / I was leaked)
How to know if your CPF has been leaked
On the Fui Vazado website, you enter your CPF and date of birth, and check if your data is part of the leak. Due to high demand, you may experience error 524 timeout.
Allan guarantees that he does not keep the CPF and date of birth entered by users to make the query: “I did not make any log system, and the only data I have about the accesses is that generated by CloudFlare”, informs the developer to Tecnoblog.
please note that the tool does not reveal the data itself that was exposed in the leak, only the categories in which you were affected: for example, your phone and address may have been leaked, but not your face photo and debt information.
Site shows categories in which your data was leaked (Image: Reproduction / I was leaked)
“This website has the exclusive purpose of serving as a consultation so that everyone affected by the leak knows if their data has been leaked and what it was”, explains Allan on the project page. “The only data stored is CPF, full name, date of birth, sex / gender and a list of 37 items.”
It is worth remembering that there are two distinct leaks, both involving 223 million CPFs. The first includes only the CPF, name, date of birth and gender; it was being offered for free on the internet.
In turn, the second leak – the details of which were disclosed exclusively by the Tecnoblog – it is much more complete and is for sale. It brings data about e-mail, telephone, address, occupation, credit score, registration status with the Federal Revenue Service, face photos, among others; there are 37 categories in total. The file includes a list of the 223 million CPFs affected, plus a free preview of the data, and this is circulating on the internet.
Allan used the data from the minor leak, plus the free preview of the major leak, to create the Fui Vazado website. It is an initiative similar to Have I Been Pwned, which notifies you about exposed passwords.
Site allows to see CNPJ leak
Site allows to see if CNPJ is in the leak (Image: Reproduction / Syhunt)
Felipe Daragon, founder of the security company Syhunt, created a way to check if a company’s CNPJ is among the 40 million that leaked. Here, too, there are two distinct but connected cases: the first leak bears the fancy name and founding date; the second includes data on debt, credit score and more.
The consultation can be done through the website BLB20 LeakCheck; Daragon dubbed the leak BLB20 (Big Leak of Brazil 2020). In it, it is necessary to insert the CNPJ number and some additional information to ensure that whoever is doing the checking is the corresponding company. “Only the person responsible for the CNPJ can request a report”, warns the page.
Daragon tells the Tecnoblog which processed about 50 GB of data and mapped exactly what was leaked by CNPJ, managing to generate a report in seconds. He also analyzed the CPF data, but preferred to follow only the CNPJ check (with validation) due to legal fear.
Site about CPFs leak yields lawsuit?
Can the Fui Vazado website create any legal problems? Probably not, because it offers a free consultation to the data, as they explain to the Tecnoblog lawyers Adriano Mendes and Luiz Augusto D’Urso, both specialists in digital law.
“If he justifies this site as a whole based on a legitimate interest of the LGPD, he can do that with an access to personal data of individuals,” explains Mendes. It would not be allowed to keep whoever requested the data consultation, and they could not be used for any other purpose.
“But this in itself is not an infringement of the LGPD, because it will be based on a structure of legitimate interest – it is the name of the legal basis,” says the lawyer. This goes for both individuals (CPF) and legal entities (CNPJ).
The restriction would be if he wants to “sell a paid service or have an economic purpose on this database”, says Mendes, because it would depend on a previous authorization or contract.
Luiz Augusto D’Urso believes that a service like Fui Vazado is legal, as it is a search tool that accesses a database that has already been leaked, only giving the result to the user who queries if his data it’s in the middle.
“He is not selling any CPF-related services, he is distributing a search on the internet for free on the leaked databases… he only analyzes the information and delivers it to the person, whether it was leaked or not”, explains D’Urso to Tecnoblog. “I don’t see any lawsuit against him.”