Lots of Brazilian facial biometrics, tax IDs, phone numbers leaked from facial ID app

🚨🇧🇷 MASSIVE BRAZIL BIOMETRIC BREACH EXPOSES 1.6M IDs

FACEPASS, Brazil’s facial ID app, left 1.6M sensitive files wide open on AWS. Leaked data includes selfies, tax IDs, phone numbers — even AWS keys.

As Brazil races to roll out digital ID, this blunder shows how fragile the… pic.twitter.com/03BXeOBbBM

— Reclaim The Net (@ReclaimTheNetHQ) March 31, 2025

https://reclaimthenet.org/brazil-facepass-breach-exposes-brazil-digital-id-risks-biometric-data-leak

The recent breach at FacePass, a Brazilian facial recognition and identification app, has exposed deep vulnerabilities in the growing digital ID ecosystem. Over 1.6 million files containing sensitive user data and internal system credentials were left unsecured in a misconfigured Amazon Web Services (AWS) S3 bucket, according to cybersecurity researchers at Cybernews.

The exposed data includes national identity numbers, facial verification selfies, full names, CPF tax IDs, phone numbers, and AWS access credentials — painting a troubling picture of both individual and systemic risk.

As Brazil moves rapidly toward integrating biometric verification and digital ID into its national infrastructure, this incident highlights how fragile such digital identity systems can be, especially as more and more countries are pushing to implement the controversial system.

Cybersecurity experts warn that the leaked materials could be weaponized in identity theft, financial fraud, and highly targeted phishing campaigns. The ability to pair selfies with official identification documents significantly increases the risk of biometric spoofing — where attackers mimic a person's physical traits to bypass authentication systems.

More troubling is the exposure of FacePass's own AWS credentials, which could have given bad actors a pathway into the company's broader systems. This lapse is particularly concerning given recent upgrades in AWS's Identity and Access Management (IAM) cowtools — cowtools that were either misconfigured or ignored. When companies fail to properly secure the very systems meant to protect biometric data, the consequences extend far beyond simple technical failure — they directly undermine user trust and public safety.

This breach is not an isolated issue — it reflects a growing, systemic problem in how digital identity platforms are designed and maintained. Biometric data is immutable; it can't be changed like a password. Once leaked, it remains vulnerable indefinitely. When these identifiers are tied to centralized databases, as they often are in digital ID programs, the stakes are even higher. One breach becomes a single point of catastrophic failure, potentially compromising millions of identities in one stroke.

Imagine trusting Brazilians with any sensitive data, lmao