On Friday, January 13, the Brazilian Central Bank (BC) announced that there was a data leak concerning personal information linked to 5,290 Pix keys managed by Agibank. This event represents the first data leak of its kind in 2026 and the 21st since the initiation of the instant payment system in November 2020. The exposed data includes user names, partially masked tax identification numbers (CPFs), associated institutions, agency numbers, as well as account numbers and types.

Despite the severity of the incident, the Central Bank clarified that no sensitive information such as passwords, transaction details, or account balances were compromised. The timeframe for the leak was noted to be between December 26, 2025, and January 30, 2026. Agibank responded to the situation by characterizing it as "point-in-time," emphasizing that the issue was quickly identified and rectified, with no financial impact on customers reported as of yet.

In the wake of the incident, Agibank has stated that its priority has been to implement additional technical measures to safeguard its users. This incident raises significant concerns regarding data security in Brazil's digital banking landscape, especially as incidents of data leaks have become more frequent since the advent of instant payment systems. The response from both the Central Bank and Agibank highlights ongoing efforts to enhance user protection and restore public confidence in digital banking services across the country.