Security expert discovered an unprotected MongoDB archive that has exposed personal and professional details of more than 202 million people.
Security expert Bob Diachenko discovered an unprotected MongoDB archive that has exposed personal and professional details of more than 202 million people.
The huge trove of data belongs to job seekers in China, its records include personal information of individuals like names, height, weight, email IDs, marriage status, political leanings, skills and work experience, phone numbers, salary expectations, and driver licenses were exposed.
The MongoDB archive contains 854GB of data related to the last three years, it is the largest data leak incident of ever occurred in China.
“On December 28th, Bob Diachenko, Director of Cyber Risk Research at Hacken.io and bug bounty platform HackenProof, analyzed the data stream of BinaryEdge search engine and identified an open and unprotected MongoDB instance” reads the post published by Diachenko.
“Upon closer inspection, an 854 GB sized MongoDB database was left unattended, with no password/login authentication needed to view and access the details of what appeared to be more than 200 million very detailed resumes of Chinese job seekers.”
The expert discovered the origin of the data when one of its Twitter followers pointed to a GitHub repository.
Data were collected by using a tool named “data-import” (created 3 years ago) that was scraping resumes from different Chinese classifieds, like bj.58.com.
58.com’s representative explained that the records were by their platform and confirmed that a third-party has created it.
At the time it is not clear how long such kind of data remained exposed online, Diachenko confirmed that the MongoDB log showed that the archive has been regularly accessed by someone, it included a dozen IPs.
The good news is that the database was secured just after the news of its discovery was published online.
“As of the date of this publication, there is no official confirmation on the data owner. We have already covered the issue of web scraping here: https://blog.hackenproof.com/industry-news/new-report-unknown-data-scraper-breach ” concludes Diachenko.
In September 2018, another huge archive containing data of 130 Million hotel chain guests was offered for sale on the dark web for around $56,000 at that time worth of Bitcoin.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.