GuardianKey logo Painless Cybersecurity!
2021-01-19

Data leakage: 243 million Brazilians

This can happen with your system!

On December 12th, 2020, the site Estado de São Paulo reported a vulnerability that exposed data of 243 million Brazilians. The number exceeds the total of inhabitants of Brazil because it includes dead people.

The failure was caused by the exposure of base64-encoded access credentials in the system page source code. With these credentials, the attacker could access the personal information of all those registered in the database.

How the user and password were obtained is just one detail in this case: it could have been obtained through phishing, infection of the user’s device, or even a “Man-in-the-middle” attack. The fact is, as we can see on the website “Have I been pwned?” (https://haveibeenpwned.com/ ), passwords always leak. This shows that just authenticating username and password is not enough to protect our systems. An efficient multifactorial authentication system is a basic need for systems that want to protect users' data, while also coming under data protection regulations (e.g., GDPR).

GuardianKey Auth Security² performs multifactorial authentication. Thus, even if the credentials are correct, an eventual attack is blocked if it is not validated in the other factors.

If the vulnerable system in question were using GuardianKey, most likely, the attacker would not have access to the system and the leak would not happen.

Incidents occur and will keep happening. Knowing how to deal with them and protect your information is what will really make your system resilient.

More information:

  1. https://saude.estadao.com.br/noticias/geral,no...
  2. GuardianKey Auth Security