An enormous MongoDB database which contains over 200 million job seeker records was accessible for over a week to anyone who came across it. The records in question are of job seekers in China and include resumes. The size of the cache was 854GB.
There were 202,730,434 records sitting on the database, which included the identifiable information that you’d expect to find on resumes such as full name, date of birth, phone number, email address, civil status, and professional experience and job expectations.
Cybersecurity professionals are now concerned that cybercriminals will be able to use this information to conduct targeted phishing scams. With such identifying information, the attackers could craft an email which could appear to have a high level of authority to the reader due to the personal nature.
The database was discovered on 28 December by Bob Diachenko, Director of Cyber Risk Research at Hacken and bug bounty platform HackenProof. Diachenko’s next task was to identify the owner of the database so that it could be secured and the potential damage is reduced. Diachenko has now stated that the database has been secured, and no further unauthorized users will be able to stumble across the database and help themselves to the data.
Diachenko stated that is this not an unusual or rare occurrence, and that he has seen this numerous times. Often companies can change settings on their database and not release it is now exposed to the world. The scale of the database is extremely large in this scenario, but still, far too many companies are not being vigilant enough about ensuring their databases are secure.
In order to identify the owner of the database, Diachenko used a tool he found on GitHub called data-import. He was able to identify patterns between the database and other data provided by the tool, leading him to the owner.
Diachenko has stated that data-import’s purpose was to scrape information from classified listings. He could not say if the app was official or illegal.