When the first cases emerged, they were treated as isolated. But now, with over 1 million Pix keys exposed since 2021, according to data recently released by the Central Bank, it is more accurate to call them common. The most recent case was that of Cashway Technology, which, despite involving only 50 keys, brought Brazil back to discussing the security of the instant payment system.
This is because in the first months of this year, new leak incidents were reported, raising concerns about the protection of users’ personal data. Before Cashway, the problem had occurred at QI Sociedade de Crédito Direto, exposing 25,349 customer Pix keys. In addition to these, the XP case (XPBR31) had significant repercussions, as the company informed customers at the end of April that a database hosted at an external supplier of the financial institution had experienced ‘unauthorized access.’ As a result, users fell victim to data leaks, including names, phone numbers, emails, dates of birth, postal codes, marital status, job titles, and nationalities, as well as information on contracted financial products, XP account numbers, and previous month balances.
According to Thiago Guedes, CEO of DeServ, a company specializing in information security and data privacy, for companies responsible for protecting Pix keys to avoid occasional system failures, it is essential to monitor the entire development pipeline of applications and systems, from programming and testing phases to production. This monitoring is required precisely to prevent potential issues and failures before they even occur.
‘In this way, all companies handling personal data need to develop continuous improvement processes covering both legal and information security aspects. During all stages of data processing, it is crucial to seek immediate compliance with the LGPD (Brazilian General Data Protection Law). The legislation itself requires a Data Protection Impact Report, and the company must structure itself to ensure these processes are well underway to manage potential risks,’ he says.
As for Pix key holders, it is essential to consider that it is not always possible to know whether or when you have been a victim of a leak. In this sense, the ideal is always to take extra security measures. ‘Although the leaked data does not include passwords or allow financial transactions, any exposure of personal information can facilitate attempts at fraud, especially through social engineering,’ he warns.
Guedes provides some tips on how to protect yourself.
Monitor your Pix keys:regularly track the use of your Pix keys through your banking app. If you notice anything unusual or unfamiliar, contact your financial institution immediately.
Enable alerts and notifications:keep Pix transaction notifications enabled on your phone to quickly identify any unauthorized activity.
Beware of suspicious messages:scammers often use leaked data to send fake messages (phishing). Never click on links received via SMS, WhatsApp, or email, even if they seem legitimate.
Update your information:if you suspect your key has been compromised, you can request portability or deletion of your Pix key from your bank.
Use multi-factor authentication:whenever possible, enable two-step verification in financial apps and set up strong, unique passwords.
Check if your data has been leaked:the Central Bank provides official channels to inform users about potential leaks. Stay alert to announcements directly in your banking app or on the Central Bank’s website.
According to the Central Bank, the leaked data includes information such as names, CPF numbers, associated banks, branch numbers, and Pix key creation dates. No sensitive data, such as passwords, balances, or statements, was compromised. Still, the recommendation is to remain extra vigilant.
‘Pix is a secure system, but no technology is immune to operational failures. That’s why user caution is an essential part of protection,’ concludes the expert.
