
Chinese companies have leaked a whopping 590 million resumes in the first three months of the year, ZDNet has learned from multiple security researchers.
Most of the resume leaks have occurred because of poorly secured MongoDB databases and ElasticSearch servers that have been left exposed online without a password, or have ended up online following unexpected firewall errors.
Leaks occurred solely at Chinese firms
Over the past few months, and especially over the last few weeks, ZDNet has received several tips about exposed servers that --when investigated-- belonged to Chinese HR-focused companies.
From tiny firms exposing a handful of CVs to professional executive head-hunting firms, they've all leaked their customers' details, in one form or another.
Most of these leaks have been brought to ZDNet's attention by Sanyam Jain, a security researcher and a member of the GDI Foundation.
Jain discovered and reported seven such cases in the past month alone, with only four getting taken down before this article's publication.
His discoveries include an ElasticSearch server containing resumes for 33 million Chinese users that he found on March 10. This database was secured four days after Jain reported the issue to the China National Computer Emergency Response Team (CNCERT).
Around 33 Million Job profiles were found online of three Chinese companies and is on a live database. All were big and established. How it can happen. How Chinese companies can put their people data online with their current location. #cywar2stop pic.twitter.com/EtgoP38QNl
— Sanyam J. (@HydroMercury) March 10, 2019
His second finding was an ElasticSearch server containing 84.8 million CVs he found on March 13 --also spotted by security researcher Devin Stokes a few days earlier. This server was, too, taken down, with the help of CNCERT.
84.8 Million Chinese resumes exposed.
— stoXe (@DevinStokes) February 28, 2019
Current salary, work history, education, skills, trainings received, sallary of all previous jobs.
This is some thorough information. pic.twitter.com/StEgfU4H9K
Jain's third discovery was another ElasticSearch instance, this time holding 93 million resumes, which he found on March 15.
"The DB was taken offline unexpectedly, and I got no response from CNCERT after reporting to them," Jain told ZDNet.
The fourth server stored resumes from a Chinese company and contained only nine million CVs, which he found in another ElasticSearch instance.
The fifth server was Jain's biggest finding, an ElasticSearch cluster holding over 129 million resumes. This database is still exposed online at the time of writing because Jain wasn't able to identify its owner.
Jain's last two discoveries were also his smallest findings. The sixth was an ElasticSearch server hosting 180,000 resumes, and the seventh stored only 17,000 resumes. This last one, Jain discovered just hours before this article went live.
But Jain was not the only researcher who has been stumbling upon such databases. The most interesting of all databases that leaked resumes of Chinese users was the one security researcher Devin Stokes shared with ZDNet two weeks back.
This was an ElasticSearch server containing the resumes of 19 million Chinese users, all in management positions. The database belonged to a headhunting company active on the Chinese market. The researcher decided not to name the company for this piece.
This server, besides resumes, contained full profiles on each user, including current jobs, recent conversations between recruiters and executives, training sessions, and more.
Furthermore, the leaky server also contained a list of companies which signed up for headhunting firm's services and had hired executives with its help. A cursory search through this list surfaced both foreign firms like Kraft Heinz and StonCor, but also many local Chinese companies like China Aviation Power Control and Wuxi AMT Technology.
Fortunately, this database was secured faster than most, being taken down two days after Stokes sent an email to CNCERT.
Besides Jain and Stokes, another famous data breach hunter who has been stumbling upon these databases is Bob Diachenko of Security Discovery.
Yesterday, Diachenko found a similarly exposed server containing the CVs for 20.5 million Chinese users, and the researcher is currently in the process of identifying and notifying the company which leaked this data.
20,591,134 Chinese CVs with pretty detailed information appeared on a leaky server at some point last week. Quickly taken down by CERT after notification but I think this data might have landed in wrong hands already. Not sure if this is same data reported in Jan pic.twitter.com/aX6muDEr46
— Bob Diachenko (@MayhemDayOne) April 2, 2019
But also let's not forget about Diachenko's other discovery, a MongoDB database that the researcher found in January, and which had leaked the resumes of over 202 million Chinese users.
More than 590 million leaked resumes
Counting all, we have 590.497 million resumes that have leaked from Chinese companies over the past three months, a worrying sign that Chinese HR companies are not taking the security of their servers seriously.
Featured
One might think that exposing data from a resume isn't a big deal since resumes are inherently public documents, but the reality isn't so.
People share resumes with interested parties on the assumption that the resume would only be used for the assessment for a particular job.
When users share resumes online on their own sites, they regularly edit out personally identifiable information that is included on a full version of a CV --such as phone numbers, home addresses, family and marital status, and in some cases, ID numbers, depending on the requirements of some HR firms.
Similarly, when they fill in personal details on job portals, they do it believing that some data will only be available to employers, and not the entire internet.
The rate at which Chinese HR firms and Chinese job portals are leaking these CVs shows both a disregard for user privacy, but also a bad security posture on the behalf of these companies.
Data leaks: The most common sources
More data breach coverage:
- Indian govt agency left details of millions of pregnant women exposed online
- Bithumb cryptocurrency exchange hacked a third time in two years
- Card breach reported at Buca di Beppo, Planet Hollywood, and other restaurants
- Over 540 million Facebook records found on exposed AWS servers
- Over 13K iSCSI storage clusters left exposed online without a password
- WordPress iOS app leaked authentication tokens
- Facebook passwords by the hundreds of millions sat exposed in plain text CNET
- Facebook data privacy scandal: A cheat sheet TechRepublic