Cyber Incident Victim: XP Investimentos SA
Date:
Mar 2025
Location:
Brazil
Summary
XP Investimentos reported that an external provider’s database containing customer information was accessed without authorization, resulting in the exposure of registrations such as name, phone, email, birth date, CEP, marital status, gender, occupation, nationality and XP‑related details including account number, balance, position, advisor name and credit limit. The company stated that none of its internal systems were compromised, that client accounts and investments remain secure and that no password change is required. After discovering the incident, XP Investimentos launched an investigation, notified the relevant authorities and confirmed that the unauthorized access was promptly halted and that the data have not been made public.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March22, 2025, XP Investimentos became aware that a database hosted by an external provider had experienced an unauthorized access. The company reported that it learned of the incident on that date and immediately took steps to block the compromised access. According to the notification sent to clients on the morning of March 24, 2025, the breach was confined to the external provider’s environment and no internal XP systems were accessed. XP emphasized that client accounts and investments remained secure and that there was no need for users to change passwords or take any other action. The firm stated that it had informed the relevant authorities and launched an investigation to determine the full scope of the access.
The unauthorized access resulted in the exposure of specific categories of data stored in the external database. Clients’ cadastral information, including name, telephone number, e‑mail address, date of birth, CEP, marital status, gender, occupation and nationality, was accessed. In addition, certain XP‑related data were compromised, namely the XP account number, account balance, position, the name of the assigned advisor and the credit limit, all referring to the month of March. XP noted that the exposed data could be used for social engineering tactics such as targeted phishing or voice‑based phishing (vishing) if malicious actors chose to exploit them, although the company asserted that the data were not being publicly shared or disseminated. The communication repeatedly stressed that the improper access had been promptly interrupted and that client accounts remained safe.
In response to the incident, XP Investimentos initiated a detailed investigation to ascertain the extent of the unauthorized access and to identify how it occurred and was detected. The company reported that it had cooperated with competent authorities and continued to monitor the situation for any further developments. While XP maintained that no XP systems were breached, it acknowledged that questions remained regarding whether the accessed data had been collected or exfiltrated and mentioned that possibilities such as credential stuffing had been raised as points requiring clarification, though no confirmation of such motives was provided. The firm concluded its statement by asserting that preventive measures were in place to protect data integrity and that clients could continue using XP’s applications and websites normally.