248,725 Exposed in CIEE One Data Breach
Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach
July 03, 2025
Resecurity found a breach in Brazil’s CIEE One platform, exposing PII and documents, later sold by data broker “888” on the dark web.
Resecurity identified a data breach of one of the major platforms in Brazil connecting businesses and trainees called CIEE One – leading to the compromise of sensitive PII, including ID records, contact information, medical reports, scans of documents, and other related data. Notably, the stolen data was offered for sale by underground data broker “888.”
CIEE One is a personalized recruitment and selection service offered by CIEE Centro de Integração Empresa-Escola (Business-School Integration Center) for companies seeking candidates for internships and apprenticeship programs. It connects specialists and businesses, ranging from major international corporations to local entities in Brazil. The service is widely used by top financial institutions in Brazil, as well as popular online platforms, energy, oil & gas, telecommunications, and technology providers. According to the CIEE official web-site, the service “connects talent with the largest companies” in Brazil – including Bradesco, Caixa, Claro, BRF, and many others.
Why do threat actors target such services? Primarily, because they aggregate large amounts of sensitive PII collected for due diligence and recruitment processes, making them valuable targets for cybercriminals. Stolen data can be easily monetized on the Dark Web and used for further identity theft and financial fraud.
According to the company’s HUNTER team the exposed Google Cloud Storage bucket was the root cause of the compromise. The company alerted the affected party, and shared further intelligence with Computer Emergency Response Team Brazil (CERT.br). Unfortunately, the exposed cloud buckets remain very widely exploitable by threat actors for data theft, due to a lack of protection for cloud services and inadequate configuration hardening.
The profile of “888” has existed since at least 2024, when he was successfully targeting corporations, including Microsoft, BMW (Hong Kong), and others in the tech, freight, and oil & gas industries. This actor is known to be a “straight shooter,” selling acquired databases exclusively due to his great reputation and a proven track record of leaks within the underground community.
Resecurity characterizes “888” as a sophisticated underground data broker operating for profit (financially motivated), targeting public-facing services and applications. Notably, his previous activities overlap with those of notable actors such as IntelBroker, who the Federal Bureau of Investigation (FBI) recently indicted for monetizing stolen data on the Dark Web belonging to various corporations and government agencies.
According to the expert statistics, 41% of cloud breaches are caused by misconfigurations, with exposed buckets being a leading contributor.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, CIEE One)
