Full Report
In April 2020, now defunct Brazilian e-commerce platform HomeRefill suffered a data breach that was later redistributed as part of a larger corpus of data. The data included 187k unique email addresses along with names, phone numbers, dates of birth and salted password hashes.
Analysis Summary
# Incident Report: HomeRefill Data Breach (2020)
## Executive Summary
The defunct Brazilian e-commerce platform HomeRefill experienced a data breach in April 2020, resulting in the compromise of 184k user records, including personal identifying information and salted password hashes. The stolen data was later identified as being redistributed within a larger corpus of leaked credentials. Remediation focused on advising affected users to change passwords and enable multi-factor authentication.
## Incident Details
- Discovery Date: Data surfaced publicly/redistributed, noted by HIBP in October 2025 (though the breach occurred earlier).
- Incident Date: April 2020 (Breach Occurred).
- Affected Organization: HomeRefill (Now defunct Brazilian e-commerce platform).
- Sector: E-commerce.
- Geography: Brazil (Implied).
## Timeline of Events
### Initial Access
- Date/Time: April 2020
- Vector: Unspecified vulnerability/attack vector leading to initial data access.
- Details: Attackers successfully accessed systems holding customer data.
### Lateral Movement
- N/A (Not detailed in source)
### Data Exfiltration/Impact
- Data compromised included names, email addresses, phone numbers, dates of birth, and **salted password hashes**. Exfiltration occurred around April 2020, with the data later being redistributed publicly.
### Detection & Response
- Detection: The breach was discovered post-facto when the data was indexed or redistributed globally (as noted by Have I Been Pwned inclusion date of Oct 3, 2025, referencing the 2020 incident).
- Response actions taken: Remediation advice focused on end-user actions (password changes, 2FA adoption). No internal organizational response details were provided.
## Attack Methodology
- Initial Access: Unknown.
- Persistence: N/A
- Privilege Escalation: N/A
- Defense Evasion: N/A
- Credential Access: Acquisition of user credential data, including salted password hashes.
- Discovery: N/A
- Lateral Movement: N/A
- Collection: Gathering of PII (names, DOBs, phone numbers) and authentication factors (hashes).
- Exfiltration: Data extraction and subsequent redistribution.
- Impact: Sensitive personal data and authentication credentials exposed.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: 183.8 thousand unique records compromised, containing names, email addresses, phone numbers, dates of birth, and salted password hashes.
- Operational: HomeRefill is now defunct, suggesting operational impact resolution through cessation of business.
- Reputational: Significant reputational damage due to the public exposure of customer data.
## Indicators of Compromise
- *Note: Since this is a summary based on post-incident reporting, specific active IoCs are not provided.*
- Behavioral indicators: Unauthorized exfiltration of customer database backups/exports.
## Response Actions
- **Containment:** N/A (Incident occurred in 2020; containment measures were not detailed).
- **Eradication:** N/A
- **Recovery:** N/A (Organization is defunct).
- **User Communication:** Advisement to change passwords if not done since 2020 and to enable Two-Factor Authentication (2FA).
## Lessons Learned
- Data security controls were insufficient to prevent unauthorized extraction of customer PII and credential hashes in 2020.
- The practice of storing only salted password hashes, while better than plaintext, still puts users at risk if the salt is weak or the hashes are cracked offline.
## Recommendations
- Immediately change passwords for any account using a reused credential from this platform.
- Enable Two-Factor Authentication (2FA) on all critical accounts.
- Utilize strong, unique passwords managed via a reputable password manager.