Speedio alleged leak exposes 62M records

DarkWebInformer said on May 19 that data tied to Speedio, a Brazil-based B2B prospecting platform, was allegedly exposed in a dataset of about 62 million records. The post described a cache containing contact emails and company-related information, but did not link to a statement from Speedio. A separate listing on Have I Been Pwned, the breach-notification service run by security researcher Troy Hunt, describes an unverified Speedio breach involving more than 62 million records and 27 million unique email addresses. Speedio markets itself as a lead-generation and sales prospecting platform for Brazilian businesses. On its website, the company says it helps customers build B2B lead lists and claims to have data on more than 25 million active companies in Brazil, 17 million mapped decision-makers, 20 million phone numbers and 17 million emails. ### Where does the 62 million figure come from? Have I Been Pwned says the alleged Speedio data was posted for sale in December 2024 on a hacking forum. (haveibeenpwned.com) The service describes the material as “over 62M records” of largely public business information, including company names, phone numbers and physical addresses, plus 27 million unique email addresses. Cybersecurity outlets and breach trackers have repeated the same basic account, but Have I Been Pwned labels the incident “unverified.” That means the service says the origin of the data could not be independently confirmed. (speedio.com.br) ### What kind of information was allegedly exposed? Have I Been Pwned says the alleged dataset included company names, email addresses, phone numbers and physical addresses. The DarkWebInformer item referenced in the reporting around the case also described company and contact data rather than passwords or payment-card information. (haveibeenpwned.com) Speedio’s own marketing helps explain why that mix of data matters. The company advertises tools for identifying decision-makers, segmenting leads by company profile and exporting validated contact information for outbound sales teams. (haveibeenpwned.com) ### Was this described as a hack or an exposure? Have I Been Pwned says the data was allegedly obtained from an unsecured Elasticsearch instance. That description points to an exposed database rather than a confirmed intrusion, though the service says the claim could not be independently verified. (haveibeenpwned.com) The distinction matters because exposed databases often contain aggregated business-contact data collected from multiple sources. (speedio.com.br) Have I Been Pwned says the records were “largely public business information,” and many of the 27 million email addresses were from public email providers such as Gmail and Outlook. ### What has Speedio said publicly? Speedio’s privacy policy says the company is committed to protecting personal data and complying with Brazil’s General Data Protection Law, known as the LGPD. (haveibeenpwned.com) The policy, updated in October 2023, says the company treats information such as names, addresses, email addresses, IP addresses and job titles as personal data. Have I Been Pwned says Speedio “did not respond to multiple attempts to disclose the incident.” As of Wednesday, a public company statement about the alleged exposure was not readily visible in the materials reviewed. (haveibeenpwned.com) ### What can users or affected contacts verify next? People who want to check whether an email address appears in the alleged incident can look for the Speedio entry on Have I Been Pwned, which lists the exposure as unverified. (speedio.com.br) Speedio’s public privacy-policy page also identifies the company’s data-protection framework and the categories of personal data it says it handles under the LGPD. (haveibeenpwned.com)