A huge MongoDB database containing detailed CVs for over 202 million individuals has been found exposed online.
The unprotected MongoDB instance was found via a simple BinaryEdge or Shodan search and was left without any password protection, according to Bob Diachenko, director of cyber risk research at Hacken.io and HackenProof.
The 854GB trove contained data on 202.7m Chinese job-seekers including “personal info, such as mobile phone number, email, marriage, children, politics, height, weight, driver license, literacy level, salary expectations and more.” Such information could be used to good effect in follow-on phishing attacks.
The source of the data is unknown, although it is believed it may have been scraped from third-party CV sites.
“The origin of the data remained unknown until one of my Twitter followers pointed to a GitHub repository which contained a web app source code with identical structural patterns as those used in the exposed resumes,” explained Diachenko.
“The tool named ‘data-import’ (created three years ago) seems to have been created to scrape data (resumes) from different Chinese classifieds, like bj.58.com and others. It is unknown, whether it was an official application or an illegal one used to collect all the applicants’ details, even those labelled as ‘private’.”
The database was secured “shortly after” Diachenko publicized his discovery on Twitter, although it’s unclear for how long it was exposed online before he first spotted it on December 28 last year.
He claimed that “at least a dozen” IPs may have accessed the database before it was taken offline, according to the MongoDB log.
Misconfigured security settings are likely to continue exposing organizations to preventable risk in 2019, especially as more of them migrate data and systems to the cloud, Trend Micro said in its 2019 predictions report recently.