APOIA.se Breach: 451K Accounts Exposed

Overview

On December 11, 2025, a database from the Brazilian crowdfunding platform APOIA.se was posted to an online forum, exposing 450,764 unique user accounts. The company confirmed the breach in January 2026, revealing that the incident compromised email addresses, full names, and physical addresses of its users. The breach was reported to Have I Been Pwned (HIBP), allowing users to verify if their data was among those leaked.

APOIA.se is a popular platform in Brazil for crowdfunding creative projects, personal causes, and business ventures. The breach puts users at heightened risk for doxxing, targeted phishing, and physical security concerns - particularly given the sensitive nature of crowdfunding campaigns, which often involve personal appeals and financial transactions.

What Was Exposed

The compromised data includes three categories, each with distinct risks:

• Email Addresses - These are routinely weaponized for phishing attacks. With a confirmed APOIA.se account, scammers can craft convincing emails referencing specific campaigns or donation history to gain trust.
• Names - Full names help attackers personalize scams, making phishing emails appear more legitimate. Combined with email addresses, this increases the chance of victims clicking malicious links.
• Physical Addresses - This is the most concerning exposure. Physical addresses enable targeted mail fraud, identity theft, and, in extreme cases, physical stalking or harassment. For crowdfunding campaign creators, this data could be used to link their home address to sensitive causes or projects they supported.

How the Breach Happened

The exact attack vector has not been publicly detailed by APOIA.se. Based on the scope - a single database posted directly to a forum - it suggests either an SQL injection vulnerability, a compromised internal account, or an exposed cloud storage bucket. The company has not issued a full technical post-mortem, which is standard practice after such incidents to help the security community understand and prevent similar breaches.

Phishing and Social Engineering Risks

With email addresses and names in hand, attackers can craft highly targeted phishing campaigns. Expect emails that appear to come from APOIA.se support, claiming account issues or requesting password verification. A more dangerous scenario: scammers may contact users referencing their specific crowdfunding campaign by name, asking for “donation verification” or “funds release” - leading to credential theft or malware installation.

Physical addresses also open the door to postal mail scams - fake checks, invoices, or prize notifications designed to extract bank details or install malware via QR codes.

What to Do Right Now

• Check if you’re affected - Visit haveibeenpwned.com and search your email address. If APOIA.se appears in the results, your data was in this breach.
• Change your APOIA.se password immediately - Even if passwords weren’t exposed in this specific incident, use a unique, strong password for the platform. Enable two-factor authentication (2FA) if available.
• Watch for phishing emails - Be skeptical of any unsolicited emails referencing APOIA.se, especially those asking you to click links, download attachments, or provide personal information.
• Secure other accounts - If you reused your APOIA.se password elsewhere, change those passwords now. Use a password manager to generate and store unique credentials.
• Physical mail vigilance - Monitor your mailbox for suspicious letters or packages. Do not scan QR codes or click links from unknown senders.

Security Insight

This breach, while technically modest in scale, demonstrates the disproportionate risk crowdfunding platforms carry. Because these platforms handle personal appeals and financial transactions, exposed physical addresses can directly threaten a user’s safety - especially for creators running sensitive campaigns (e.g., medical fundraisers, LGBTQ+ support, or whistleblower funds). APOIA.se’s delayed confirmation and lack of a detailed technical disclosure - common among smaller Brazilian tech companies - underscores a gap in incident response transparency that the country’s broader cybersecurity regulatory framework, such as the Lei Geral de Proteção de Dados (LGPD), is designed to address. For threat actors, this data set is valuable not for credential reuse, but for building high-confidence social engineering profiles against a particularly vulnerable user base.

Further Reading

• All High Breaches
• Recent Data Breaches