Last night, HackenProof published a report stating that a database containing resumes of over 200 million job seekers in China was exposed last month. The leaked info included not just the name and working experience of people, but also their mobile phone number, email, marriage status, children, politics, height, weight, driver license, and literacy level as well.
Bob Diachenko, Director of Cyber Risk Research at Hacken.io and bug bounty platform HackenProof, found an unprotected instance of MongoDB containing these resumes on December 28.
Diachenko found the resumes in the open database search engines Shodan and BinaryEdge. The 854GB database didn’t have any password protection and was open to anyone to read.
Diachenko wasn’t able to identify who generated the database or who owned it, but a now-defunct GitHub code repository featured a code that used an identical data structure to the leaked database. The database contained scraped data from multiple Chinese classified websites like bj.58.com. However, in a blog post, the website’s spokesperson denied the leak:
We have searched all over the database of us and investigated all the other storage, turned out that the sample data is not leaked from us.
It seems that the data is leaked from a third-party who scrape data from many CV websites.
Interestingly, the database was taken down as soon as Diachenko posted about the database on Twitter. Sadly, the MongoDB log showed at least a dozen IP addresses that read the instance before it went off the grid.
In most instances, it’s easy to contact the owner of the database and secure the info. However, in this instance, since there’s no clear owner of the database, it’s dangerous to assume that the leaked data is safe.
You can read the full report here.