Android

It's a terrible idea to type in your CPF to find out if it's been leaked; don't do it.

Fabio Marton February 1, 2021

The massive CPF leak has led many people to ask the obvious: “Could mine have been leaked too?” And, in this context, a link to a website is circulating to find out if your CPF has been leaked. The website asks for your number and date of birth, and gives you the answer. And we will not leave the link here under any circumstances.

Why it’s a bad idea to do this. One, you don’t need to go there; we’ll give you the answer: YES, your CPF was leaked. There’s a huge chance that it was. There are 220 million entries, more than the entire population of Brazil (and more has to do with the problem). It’s always a bad idea to “check”, and the point of this article is to explain why.

The hacker doesn't know you

We are not saying that the site is not trustworthy. We did not conduct such an investigation. The information on the site points to a young IT technician – and perhaps he just wants, honestly, the donations he is asking for. But it is a good habit to acquire to never react to leaks, except through official means. Because scammers depend on this reaction. And typing your CPF on a little-known site to find out if it has been leaked follows the same logic.

Let's take an example: when you receive a threatening email telling you your password. Everyone has probably received one of these. It is the real password, in fact it is in your hands. of criminals.

But the scammers didn't attack you personally. They probably bought the information from one of the leaks that happen all the time, who knows when and where. What they don't know is whether, in a list with millions of entries, your password is still valid, whether your username still exists. And they won't test each one individually.

When you respond, you are essentially saying, “Yes, the password is correct and up to date, and I care about that.” It is only at this point that you have let your guard down and opened yourself up to the scam itself. From this point on, the scammer knows that they can log into your account and extort money from you.

So never “check” if you’ve been hacked. Or go to an unknown website to find out if your CPF has been leaked. It has been leaked – with millions. But whoever has this data doesn’t know if what they have in their hands is worth anything.

In the case of CPF, since the number is greater than that of Brazilians, it means that there is data pollution: millions of dead people in the registry. By reacting or, in this case, confirming your CPF and date of birth, you are saying that the CPF belongs to a living person, that the date of birth matches, and that this is a person concerned about the leak. That is all they need for the information to be used against you.

Image: Soumil Koumar/Pexels/CC