What caused the CIEE data breach?

The root cause was identified as a misconfigured Google Cloud Storage bucket (ciee-storage.storage.googleapis.com) that was publicly accessible without authentication. The exposed bucket contained over 364,000 files, significantly larger than the initial dataset published by the threat actor.

What personal information was exposed in the CIEE breach?

The exposed data includes full names, postal codes and addresses, email addresses, phone numbers, CPF numbers (Brazilian taxpayer IDs), registration dates, age information, personality profiles, educational background, employment status, professional experience records, and biometric data including facial recognition information.

What types of files were exposed in the CIEE data breach?

The breach exposed various file types including medical reports and evaluations (2,838 PDF files), profile pictures (281,912 JPEG/PNG files), job application videos (~8,000 MP4/MOV files), curriculum vitae and resumes (~40,000 PDF/JPEG files), and internal tracking sheets and operational data (264 Excel documents).

Has the CIEE data breach been contained?

As of July 2, 2025, the issue had not been contained, allowing the threat actor to continue collecting exposed personally identifiable information from the misconfigured Google Cloud Storage bucket.

How was the authenticity of the CIEE breach data verified?

Resecurity validated the authenticity of the stolen data and contacted multiple victims who confirmed they were registered users at CIEE, providing verification that the exposed information was legitimate and belonged to actual platform users.

What sensitive documents were exposed in the CIEE breach?

The breach exposed highly sensitive documents including medical reports and evaluations, job application videos, complete resumes and curriculum vitae, internal company tracking sheets, biometric data including facial recognition information, and comprehensive personality profiles of job candidates.

What is a CPF number and why is its exposure concerning?

CPF (Cadastro de Pessoas Físicas) numbers are Brazilian individual taxpayer identification numbers, similar to Social Security numbers in the US. Their exposure is concerning because CPF numbers are used for financial transactions, government services, and identity verification throughout Brazil, making them valuable for identity theft and fraud.

What should CIEE users do to protect themselves after this breach?

CIEE users should monitor their financial accounts for suspicious activity, be cautious of phishing attempts using their exposed personal information, consider placing fraud alerts with Brazilian credit agencies, update passwords on all accounts, and be vigilant for identity theft attempts using their exposed CPF numbers and personal details.

Was biometric data included in the CIEE breach?

Yes, the breach included biometric data including facial recognition information along with 281,912 profile pictures. This type of biometric data exposure is particularly concerning as it cannot be changed like passwords and could be used for identity fraud or unauthorized access to biometric-secured systems.

Incident

Brazilian recruitment platform CIEE leaks 248 K records

Q: What happened to CIEE (Centro de Integração Empresa-Escola)?

CIEE, a Brazilian recruitment and selection platform, exposed personal information of hundreds of thousands of users. The leak was publicized when threat actor '888' published over 248,725 records containing sensitive personally identifiable information stolen from the platform through a misconfigured Google Cloud Storage bucket.

Q: Who is the threat actor '888' that publicized the CIEE breach?

Threat actor '888' has a credible reputation on the Dark Web for conducting large-scale data breaches and has successfully targeted corporations including Microsoft, BMW (Hong Kong), and others in the tech, freight, and oil & gas industries.

published: July 3, 2025

Learn More

CIEE (Centro de Integração Empresa-Escola), a Brazilian recruitment and selection platform has exposed personal information of hundreds of thousands of users. The leak was publicized when threat actor "888" published over 248,725 records containing sensitive personally identifiable information stolen from the platform. The threat actor has a credible reputation on the Dark Web for conducting large-scale data breaches, and has successfully targeted corporations including Microsoft, BMW (Hong Kong), and others in the tech, freight, and oil & gas industries.

CIEE One serves as a recruitment service connecting candidates with major Brazilian corporations, including top financial institutions, energy companies, oil & gas providers, telecommunications firms, and technology companies. According to the CIEE official website, the service "connects talent with the largest companies" in Brazil.

The root cause of the breach was identified as a misconfigured Google Cloud Storage bucket that was publicly accessible without authentication. During a security assessment of cloud resources, a misconfigured publicly accessible Google Cloud Storage bucket (ciee-storage.storage.googleapis.com) belonging to CIEE was discovered. The investigation revealed that the exposed bucket contained over 364,000 files totaling approximately 28 GB in size, significantly larger than the initial dataset published by the threat actor.

The exposed data includes:

Full names (Nome Completo)
Postal codes and addresses (CEP, Bairro, Cidade, Estado)
Email addresses
Phone numbers (Telefone)
CPF numbers (Brazilian individual taxpayer identification numbers)
Registration dates (Data de Cadastro)
Age information
Personality profiles
Educational background (Formação)
Employment status and hired positions
Professional experience records
Medical reports and evaluations (2,838 PDF files)
Profile pictures (281,912 JPEG/PNG files)
Job application videos (~8,000 MP4/MOV files)
Curriculum vitae and resumes (~40,000 PDF/JPEG files)
Internal tracking sheets and operational data (264 Excel documents)
Biometric data including facial recognition information

The number of affected individuals was initially reported as 248,725 records, but the full investigation revealed exposure of over 364,942 files. As of July 2, 2025, the issue had not been contained, allowing the threat actor to continue collecting exposed PII. Resecurity validated the authenticity of the stolen data and contacted multiple victims who confirmed they were registered users at CIEE.

Resecurity notified CERT.br regarding this matter on July 2, 2025, and shared actionable intelligence about the identified vulnerability that led to cloud bucket data exposure.

Brazilian recruitment platform CIEE leaks 248 K records

Read More
Australian financial services firm Skeggs Goldstien hit by …
Wright, Moore, DeHart, Dupuis & Hutchinson reports data …
Chimienti & Associates reports data breach caused by …
Triage Staffing reports third party data breach exposing …
Arden Claims Service reports data breach, exposing 139k