Alleged Breach at Hostoo Brazil Exposes Multiple Sectors to Risk

A threat actor is boasting of a complete takeover of Hostoo Brazil, a Brazilian shared hosting and cloud provider. The post, listed as “LIVE – Verified today,” reveals what the bad actor stole, listing full control across 10 shared servers, access to SSH accounts (in their numbers) and databases connected to organizations across some of Brazil’s most sensitive fields.

The Actor Claims Sweeping Access via Basic Security Loopholes

According to the post, the actor allegedly intruded through a compromised MySQL service running on port 3306, as it had no IP legal in place. Furthermore, password reuse within the SSH environments gave away access to the bad actor into the system. Several accounts reportedly carried elevated FILE privileges, giving the attacker even broader reach once inside.

The actor claims to now hold full control over 10 shared hosting servers from Hostoo Brazil, access to 786 SSH shell accounts with valid credentials, over 1.9GB of SQL dumps spread across 29 files, and entry into more than 50 databases.

The breakdown the actor published names specific servers and their contents. One server hosts fintech-related databases through a platform called “seguroconectado.” Another carries over 1.1GB of large mixed databases.

Others contain casino and lottery systems, as well as municipal government records from entities like “camara ibirarema” and “camara muritiba.” The actor also claims large-scale extraction of Brazilian CPF records (the national taxpayer identification number) alongside internal databases belonging to hosted customers.

The sectors the actor lists as affected include government (specifically municipal chambers), fintech and insurance, legal services, healthcare, and education. This range matters because each of these sectors handles data that carries serious consequences when it falls into the wrong hands.

A Single Breach, Multiple Victims

What makes this claim particularly alarming is the structure of shared hosting itself, which multiplies the damage. When a hosting provider suffers a breach, every tenant on that infrastructure becomes a potential victim, regardless of whether they did anything wrong.

The actor reportedly accessed government entities, a fintech platform, a casino system, and commercial hosting clients all from the same foothold.

The reach of cyberattacks in Brazil extends beyond hosting providers. A separate WhatsApp Trojan campaign has been targeting crypto users directly on their mobile devices, showing that Brazilian victims are being attacked from both the server side (data breaches) and the client side (mobile malware).

This is the cascading risk that shared infrastructure carries, and it is exactly why a single provider breach can spiral into a multi-organization crisis.

The potential consequences here are significant. Credential theft from SSH accounts could give attackers persistent access long after discovery. Database exfiltration could expose citizen records, financial data, and proprietary business information.

Lateral movement across tenants could allow the actor to pivot into connected systems. Ransomware deployment remains a real downstream risk. Supply-chain compromise is also possible if any hosted clients serve larger organizations.

The Exposure of Brazilian CPF Records Adds Another Layer of Concern

CPF numbers link directly to individual Brazilian citizens and their financial identities. Stealing these records on a large scale creates room for fraud, phishing campaigns, and identity theft targeting actual people who know nothing about their data at risk.

Thus, it’s necessary to independently validate the claims of the bad actor. Posts from underground forums can create a make-believe scope, recycle old records, or fabricate access completely. Security researchers and the affected organizations themselves would need to examine the alleged dumps and server logs to confirm what actually happened.