Full Report
In December 2025, a database of the Brazilian crowdfunding platform APOIA.se was posted to an online forum. In January 2026, the company confirmed it had suffered a data breach. The incident exposed 451k unique email addresses along with names and physical addresses.
Analysis Summary
# Incident Report: APOIA.se Database Breach
## Executive Summary
In December 2025, the Brazilian crowdfunding platform APOIA.se suffered a data breach resulting in the exposure of a database containing information for approximately 451,000 users. The breach was confirmed by the company in January 2026 after the data appeared on a public online forum. The incident focused on the exfiltration of Personally Identifiable Information (PII), specifically user contact and location details.
## Incident Details
- **Discovery Date:** December 2025 (via public forum post)
- **Incident Date:** December 2025
- **Affected Organization:** APOIA.se
- **Sector:** Crowdfunding / Financial Technology
- **Geography:** Brazil
## Timeline of Events
### Initial Access
- **Date/Time:** Circa December 2025
- **Vector:** Not publicly disclosed (Likely database misconfiguration or web application vulnerability)
- **Details:** Attackers gained unauthorized access to the platform's backend database.
### Lateral Movement
- **Details:** Information regarding internal movement was not disclosed in the public briefing.
### Data Exfiltration/Impact
- **Details:** A database containing 450.8 thousand unique records was extracted from the environment and subsequently posted to an online hacking forum for public access or sale.
### Detection & Response
- **December 2025:** Incident discovered following the appearance of the database on an online forum.
- **January 2026:** APOIA.se officially confirmed the breach after conducting an internal investigation.
- **February 16, 2026:** Breach data integrated into Have I Been Pwned (HIBP) for user notification.
## Attack Methodology
- **Initial Access:** Unknown (Commonly SQL Injection or compromised administrative credentials in similar incidents).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Potential access to user database; however, the report highlights PII over passwords.
- **Discovery:** Database enumeration.
- **Lateral Movement:** Not disclosed.
- **Collection:** Automated extraction of user tables.
- **Exfiltration:** Data uploaded to external online forums.
- **Impact:** Unauthorized disclosure of PII for 451k users.
## Impact Assessment
- **Financial:** Potential regulatory fines under LGPD (Brazilian General Data Protection Law).
- **Data Breach:** Exposure of 451,000 unique email addresses, full names, and physical addresses.
- **Operational:** Investigation and remediation efforts required by IT and security teams.
- **Reputational:** High; loss of trust from the donor and creator community in Brazil.
## Indicators of Compromise
- **Network indicators:** None disclosed (Recommended monitoring for hxxps[://]canaltech[.]com[.]br news updates).
- **File indicators:** Database dump file (specific hash not provided in source).
- **Behavioral indicators:** Unusual outbound data spikes or unauthorized database queries in December 2025.
## Response Actions
- **Containment:** Verification of database security and closing of identified vulnerabilities.
- **Eradication:** Company confirmed the breach and neutralized the access point.
- **Recovery:** Notification to the public and affected users; coordination with cybersecurity news outlets.
## Lessons Learned
- **Visibility Gap:** The incident was identified via third-party forum monitoring rather than internal telemetry.
- **Data Minimization:** Physical addresses were stored and leaked; evaluating if this data is necessary for all user types could reduce risk.
- **Delayed Confirmation:** There was a one-month gap between the public leak and company confirmation.
## Recommendations
- **Database Hardening:** Implement encryption at rest for sensitive PII (names and addresses).
- **Monitoring:** Deploy File Integrity Monitoring (FIM) and database activity monitoring to alert on bulk data exports.
- **MFA Implementation:** Enforce Multi-Factor Authentication for all administrative access to the database environment.
- **User Security:** Advise all users to change passwords and remain vigilant against phishing attempts leveraging their leaked physical addresses.