A file with more than 40 million CNPJs is circulating on the internet with the fancy names and company names of legal entities. As found TecnoblogHere’s a preview of an even larger establishment that includes credit scores, debts, a list of partners, and more. It is suspicious that these data come from Serasa Experian, as well as the leak affecting 220 million Brazilians; the company denied it.
Two CNPJs leaks
There are two different leaks. One of them seems more harmless, as it only includes the CNPJ, the company name, the trade name and the company’s date of incorporation.
This dataset is being distributed for free on a well-known forum on the open Internet (not on the dark web). It contains 2.9 GB of data and will be aggregated by August 2019. In total, there are 40,183,784 CNPJs listed.
Then we have a second, more complete leak, also with 40,183,784 CNPJ. It provides many other information: e-mail, phone, address (with latitude and longitude), list of partners for CPF and shares, legal representative and equity value.
Leaks come from Serasa Experian?
Some of these data may be obtained via the IRS website, but not all – and this provides clues as to where this content came from.
One of the bibliographies contains information from Mosaic, a Serasa Experian service that categorizes companies in different segments as “large, traditional and influential”, “small rural merchant” and “entrepreneur Young people are developing ”. The idea is to help potential customers and target advertising.
Another directory deals with credit scores, with scores and levels of risk (very low, low, medium, high and very high). In the leak, there is also a list of debts with their respective values.
In a statement for Tecnoblog, Serasa Experian acknowledges that it is aware of “third party statements regarding data provided on the dark web”. She claims to have done an investigation, but “at the moment we don’t see anything that suggests Serasa is the source”.
In a new position, she said:
Based on our analysis to date, we conclude that Serasa is not the source of this data. We have performed an in-depth investigation that found that there is no correspondence between the fields of the directories available on the web with the fields in our system where the Serasa Score is loaded, as well as with Mosaic. In addition, the data we analyze includes elements that we don’t even have in our systems, and the data that is attributed to Serasa doesn’t match the data in our files.
What’s in the CNPJ leak?
This more complete leak isn’t free: it costs between $ 0.05 and $ 50 per CNPJ, depending on the amount of data purchased. Payments are only made via bitcoin, with release times within minutes or hours.
Below, we gather 17 types of information in our listing for sale; The Tecnoblog explore these details with the help of DataBreaches.net.
- basic: CNPJ, company name, trade name, registration (headquarters / branch, situation), date of incorporation, number of employees, size, legal nature
- Phone: Area code, number, carrier, package, line type (fixed, prepaid, postpaid), installation date
- Address: street address, number, neighborhood, city, state, area code, type (residential / commercial), latitude and longitude
- business: name and CPF of partners of the company, participation (shares and%), date of joining the company
- legal nature (corporations, individual entrepreneurs, cooperatives, state agencies, etc.)
- legal representation: CPF and agent name, subscription status (active / downloaded / inappropriate)
- Executive class: Hours of operation (24h, commercial from 9am to 6pm, lunch, evening, etc.), type of distribution (physical retail, online retail, real wholesale)
- equity value
- Nacional and SIMEI models: situations (select / unselect)
- IRS: date of incorporation, registration status (active / download / inactive)
- Sintegra: registration state number, active start date, registration status
- Mosaic: targeting groups and subgroups
- credit score: risk score, level of risk (low / medium / high)
- bad check: Bank and branch code, reason (no money / account is closed)
- Debtor: type (primary, co-responsible), entity responsible, register, credit type (fine, IRPJ, COFINS, CSLL, etc.), amount
Updated on January 25 with new locator Serasa