Months after Lopes claimed no anomalies found in their system, hackers were in their system

Lopes is a Brazilian firm that provides real estate services in the form of brokerage and project and financial consulting. Lopes had what appears to be a data breach involving customer data earlier this year. But why the data breach may have continued for months after they denied finding any anomaly in their system is somewhat of a mystery.

In March 2022, Paulo Brito of CISO Advisor reported (machine translation below):

Now, images of documents supposedly owned by Lopes Real Estate and a link to a 2.15MB data file have been published on the Internet. The leak was made by a profile that identifies itself as Matron Group and claims to have gained access to one or more of the company’s servers.”

At that time, Lopes informed CISO Advisor that the files would have been exfiltrated from the franchisee network and “no anomalies have been detected in the network’s systems.”  Lopes declined to provide further details and DataBreaches was unable to find any follow-up disclosures by them. According to media coverage in Brazil cited by CISO Advisor, the breach would have been at Lopes Prime.

A few months later, an individual or individuals identifying as “Matrong” contacted by email, claiming to have 13 GB of data from Lopes.

Inspection of the sample files Matrong provided to this site revealed internal documents ranging in date from December 2021 to May 2022. Some documents related to customers or buyers.

The finding of data from May — months after the March report of a breach and after Lopes claimed they had found no anomalies in their network — raised questions. Was Lopes responsible for security on the franchisees’ systems, or was each franchisee responsible? What did Lopes do after finding that data had been stolen? Did it identify the franchisee? Did it ensure that any vulnerability or problem was addressed?

A sample sent to us by the hacker, redacted by, shows correspondence from May 2022, months after Lopes first claimed they had no evidence of any breach of their system.


DataBreaches contacted Lopes via email on July 12 and again on July 16 to ask about Matrong’s claims and to ask whether Lopes had notified anyone of this breach. No reply was received at all. DataBreaches also contacted two people whose personal information appears to have been stolen by the Matrong group to ask   whether the company had contacted them to notify them of this incident. No replies were received.

Although Lopes did not reply to our inquiries, DataBreaches did get some answers from email inquiries put to Matrong, who requested they be referred to as Boldenis77.

Boldenis77 claims they targeted Lopes because they were specifically looking for a real estate company. “We tried 4, one of them is Lopes. This type of company handles a lot of documents,” their spokesperson told DataBreaches.

And according to their spokesperson, Lopes was reportedly first attacked in February “through backdoor.”  The spokesperson stated that they did make a ransom demand on Lopes but that Lopes did not respond at all. “They didn’t respond us,” the spokesperson told DataBreaches, adding that it was Mr. Marcos Lopes and Mr. Cyro Naufel whom they had contacted.

Boldenis77 did not encrypt any files by the time DataBreaches communicated with them, and  reportedly has since lost access.

At this time, then, DataBreaches does not know if any consumers whose personal information was acquired has been notified by Lopes.  Nor does DataBreaches know if any data has been leaked or sold.

If you are a customer of Lopes, have you been notified by them of any breach? Contact the reporter at [email protected][.]com.

Additional reporting and editing by Dissent.

About the author: chum1ng0

Comments are closed.