Job portal Ladders exposed profiles of 13 million job seekers, thanks to an unprotected AWS Elasticsearch database

• The unprotected database also exposed 379,000 recruiters’ personal information on top of the massive job seekers’ data.
• The database contained job seekers’ sensitive information such as employment histories, job descriptions, designation, current compensation in US dollars, the industry they are seeking a job in, whether they are a U.S. citizen or if they are on a visa, such as an H1-B, and more.

Security researcher Sanyam Jain uncovered an unprotected AWS-hosted Elasticsearch database belonging to a job recruitment site ‘Ladders’ that exposed almost 13 million job seekers’ data due to lack of authentication.

What data was involved?

• The leaky database contained US jobseekers’ personal information such as names, email addresses, phone numbers, and approximate geolocation based on their IP address.
• It also included sensitive information such as employment histories, job descriptions, designation, current compensation in US dollars, the industry they are seeking a job in, whether they are a U.S. citizen or if they are on a visa, such as an H1-B, and more.
• The database also contained over 379,000 recruiters’ personal information.

What’s the conclusion?

Upon discovery, the security researcher reported the findings to TechCrunch in order to secure the vulnerable database. TechCrunch notified Ladders about the database, and the job recruitment site immediately responded by taking down the database offline.

“AWS confirms that our AWS Managed Elasticsearch is secure, and is only accessible by Ladders employees at indicated IP addresses. We will look into this potential theft, and would appreciate your assistance in doing so,” said Marc Cenedella, Founder and CEO of Ladders.