A huge MongoDB database containing over 200 million records with resumes from job seekers in China stayed accessible without authentication for at least one week to anyone able to locate it. The size of the cache weighed 854GB.

The information exposed this way, 202,730,434 records in total, includes all the details one would expect to see in a resume: personal information (full name, date of birth, phone number, email address, civil status), professional experience and job expectations.

This type of information is a goldmine for cybercriminals, who can use it to increase the success rate of their phishing campaigns.

Unidentified owner takes the database offline

Shodan, the search engine for connected hardware, indexed the MongoDB instance on December 27 but it is unclear how long it had been exposed before that date.

On December 28, Bob Diachenko, Director of Cyber Risk Research at Hacken and bug bounty platform HackenProof​​​​, discovered the unsecured database and started to look for its owner. A week later, the database was secured, the researcher told BleepingComputer.

Update: The version of the exposed MongoDB was 4.0.4, where the default configuration offers protection against online access and would not have allowed the data to be reachable over the internet. However, online exposure is still possible when the server is behind a firewall that has been reset.

This is not a rare occurrence. "I've seen this numerous times," Diachenko told us, adding that in this case, the machine with the MongoDB appeared behind a firewall.

 

The researcher could not determine the origin of the data initially, but after he got a lead from a Twitter follower, the researcher landed on the GitHub page for a tool called data-import, which contained source code "with identical structure patterns comparing to those used in exposed resumes."

In a report published today, Diachenko says that the tool's purpose was to scrape information from classified listings. He could not say if the app was official or illegal.

Contacting BJ.58.com, one of the largest such listings in Beijing area, the researcher was told that the data did not originate from their storage.

"We have searched all over the database and investigated all the other storage, and concluded that the sample data is not leaked from us," the security team from BJ.58.com said.

"It seems that the data is leaked from a third party who scrapes data from many CV's websites," the site's representatives further added.

Diachenko notes that the database was taken offline shortly after his notification. By that time, at least a dozen IP addresses had been recorded in the MongoDB log.

Related Articles:

Misconfigured Firebase instances leaked 19 million plaintext passwords

Wyze Exposes User Data via Unsecured ElasticSearch Cluster

INC Ransom threatens to leak 3TB of NHS Scotland stolen data

200,000 Facebook Marketplace user records leaked on hacking forum

AT&T says leaked data of 70 million people is not from its systems