Personal information of over 202 million Job seekers in China was exposed for three years because a vulnerable database. The database was unsecured which allowed personal information involving phone numbers, salary expectations, email addresses and driver licenses to be freely accessible to those with an interest and knowledge of where to find it.
Security researcher Bob Diachenko published his findings on Twitter in a report which revealed the shocking information. Diachenko, who is a director of cyber risk research at Hacken Proof, discovered an unprotected and open MongoDB instance late last month which contained “very detailed” records of 202,730,434 people. The database was freely accessible without a need for login or passwords and was indexed on data search engines Edge and Shodan. The database was taken offline once Diachenko revealed is existence on Twitter.
Diachenko was not able to link the database with any specific server therefore ownership is uncertain as of now. However, Diachenko found a three year old GitHub repository for an app that had “identical structural patterns as those used in the expose resumes”. The records seemingly comprise data scratched from Chinese classified including 58.com.
58.com did not respond to a request for a comment.
There is evidence that the database was frequently visited although it is uncertain who accessed it. Diachenko informed that “It’s worth noting that the MongoDB log showed at least a dozen IPs who might have accessed the data before it was taken offline”. It is also uncertain if 58.com is responsible or a rival or a scraper. It is certain though that the vulnerability was the largest of its kind.
Read Next: 21 Mind Blowing Data Breaches of This Century (infographic)
Security researcher Bob Diachenko published his findings on Twitter in a report which revealed the shocking information. Diachenko, who is a director of cyber risk research at Hacken Proof, discovered an unprotected and open MongoDB instance late last month which contained “very detailed” records of 202,730,434 people. The database was freely accessible without a need for login or passwords and was indexed on data search engines Edge and Shodan. The database was taken offline once Diachenko revealed is existence on Twitter.
Diachenko was not able to link the database with any specific server therefore ownership is uncertain as of now. However, Diachenko found a three year old GitHub repository for an app that had “identical structural patterns as those used in the expose resumes”. The records seemingly comprise data scratched from Chinese classified including 58.com.
Related: Two Factor Authentication Still Hackable Says A Cyber Security Expert58.com, which offers services like Craigslist, refused the allegations that it created the records. A spokesperson from 58.com told Diachenko “We have searched all over the database of us and investigated all the other storage, turned out that the sample data is not leaked from us. It seems that the data is leaked from a third party who scrape[d] data from many CV websites”.
58.com did not respond to a request for a comment.
There is evidence that the database was frequently visited although it is uncertain who accessed it. Diachenko informed that “It’s worth noting that the MongoDB log showed at least a dozen IPs who might have accessed the data before it was taken offline”. It is also uncertain if 58.com is responsible or a rival or a scraper. It is certain though that the vulnerability was the largest of its kind.
Read Next: 21 Mind Blowing Data Breaches of This Century (infographic)