CIEE Data Breach Exposes 248K Brazilian Records: Medical Reports, CVs, & Videos Leaked from Google Cloud

Resecurity has revealed that a notorious underground data broker, operating under the alias “888”, has published a cache of 248,725 sensitive personal records stolen from CIEE (Centro de Integração Empresa-Escola)—a prominent Brazilian organization that connects students with internships and apprenticeships.

The leaked data, originally housed in an exposed Google Cloud Storage bucket, includes highly sensitive personal information such as medical reports, CVs, profile pictures, and even videos submitted for job applications.

The actor “888” is no newcomer to the dark web. Resecurity notes:

“The profile of ‘888’ has existed at least since 2024… targeting corporations including Microsoft, BMW (Hong Kong), and others in the tech, freight, and oil & gas industries.”

The CIEE platform is widely trusted by major Brazilian banks, telecom providers, energy firms, and tech companies, making it a ripe target for cybercriminals looking to profit from rich pools of personal data.

“Threat actors target such services… because they aggregate large amounts of sensitive PII collected for due diligence and recruitment processes.”

Resecurity’s threat hunters discovered that ciee-storage.storage.googleapis.com was misconfigured, allowing public read access to more than 364,000 files—totaling ~28 GB. These included:

• 281,912 profile pictures (JPEG/PNG)
• ~8,000 job application videos (MP4/MOV)
• ~40,000 CVs (PDF/JPEG)
• 285 CSV files with ~300,000 candidate records, including full names, email addresses, phone numbers, CPF (Brazilian taxpayer ID), and job details
• 2,838 medical reports (PDF)
• 264 Excel sheets containing internal tracking data and analytics

Resecurity emphasized the severity of the exposure:

“These files contained a significant amount of personal identifiable information (PII), financial documents, medical records, media files, and internal reports.”

This combination of biometric data, medical records, and identity documents is particularly damaging, as many of these cannot be easily changed or revoked—unlike passwords or email addresses.

“888” has a well-established reputation as a “straight shooter” on underground forums, known for publishing authentic leaks and monetizing stolen data. The actor accepts Monero (XMR) for enhanced anonymity and has been compared to IntelBroker, another infamous figure recently indicted by the FBI.

As proof of legitimacy, “888” shared sample records from the breach, which Resecurity verified by contacting affected users, all of whom confirmed being registered on CIEE.

“The actor did not clarify how this data was exfiltrated, but shared a substantial dataset, which Resecurity has validated as authentic.”

The root cause of this breach was traced to a misconfigured Google Cloud bucket. This kind of mistake is unfortunately common and easily exploited.

“Cloud bucket exposure… has become a very popular and significant attack vector for cybercriminals.”

Threat actors use automated tools to scan the internet for publicly accessible buckets. In CIEE’s case, the open bucket granted access to troves of highly private data with no authentication barrier whatsoever.

This incident underscores the urgent need for cloud security hygiene. As Resecurity concludes:

“Cloud bucket exposure is not only a popular attack vector… but also one of the most persistent and damaging.”

Organizations handling sensitive PII must adopt proactive monitoring, vulnerability assessments, and hardened access controls to avoid becoming the next breach headline.

Resecurity recommends VAPT testing and ongoing CTI (Cyber Threat Intelligence) gathering to detect threats before they escalate into major breaches.

Related Posts:

• Resecurity: Nuclear energy, oil and gas are top targets for ransomware groups in 2024
• Apple Forced: Third-Party Apps Coming to Brazilian iOS
• Microsoft BFS Flaws Expose Windows to Privilege Escalation – PoC Code Released

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.