A large database with around 33 million jobseeker profiles for people in China has been left exposed and unprotected online. The profiles contained sensitive information that would be valuable to identity thieves and scammers
Sanyam Jain, a security researcher, discovered the database using the Shodan search engine. The Shodan search engine has been described as the “search engine for everything on the internet.” Google and most of the other popular search engines only index web pages, whereas Shodan indexes most things it comes across, including web cames, yachts, water treatment facilities, medical devices, wind turbines, traffic lights, license plate reachers, smart TVs and much more. It has also been referred to as “the scariest search engine on the planet” by people worried about its potential as a tool for hackers.
The database is a 57GB Elasticsearch database which is a type of database that is full-text, using documents rather than schema or tables. Elasticsearch databases are free and open source, making them an attractive option for businesses.
The database contains user profiles of people in China who uploaded their resume and personal information to various job recruitment websites.
The sensitive data included the job seeker’s username, age, gender, current city, home address, email address, marriage status, phone number, job history, education history, and salary history. This information could be extremely valuable to scammers looking to commit identity theft, or attackers looking to pull off sophisticated phishing scams.
In a Tweet, Sanyam Jain said:
Also not only current location but their maritial status, company name, gender, email, phone number, expected city, resume_updated last, company name, firm, location, education, school, degree, major, degree rank etc are also exposed. What a database?
Jain discovered the database on 10 March 2019, and attempted to find the owner of the database to warn them of the exposed information, however, he was unable to do so. However, he did see references to Chinese job recruitment companies within the database such as 51Jobs, lagou, and Zhilian.
In another Tweet, Jain stated:
I don’t understand how the companies can put up all these online. My advice please do hire cybersecurity experts you really needed it.
When he was unable to determine the owner of the database, Jain contacted CNCERT on the 11 March. CNCERT is the national Computer Network Emergency Response Technical Team/Coordination Center of China. Jain received a response on the same day to say that they had identified the owner of the database and they would contact them to have the database shutdown.
The database had been closed on March 13, 2019.
It is still unclear who was using the data, or if it was exploited at any point.