What is the issue - A security researcher and a member of GDI.Foundation, Sanyam Jain uncovered an unprotected ElasticSearch database on Match 10, 2019, that was publicly accessible without any authentication.
Why it matters - The open database is 57GB in size and contains almost 33 million job seekers’ profiles who have uploaded their resume to job recruitment sites in China.
“Around 33 Million Job profiles were found online of three Chinese companies and is on a live database. All were big and established. How it can happen. How Chinese companies can put their people data online with their current location. #cywar2stop,” Jain tweeted.
What was exposed?
The exposed information includes job seekers’ personal information such as names, genders, dates of birth, phone numbers, email addresses, home addresses, marital statuses, educational details such as school names, degree, and professional details such as job designation, employer names, salary.
The big picture
“During the initial investigation what I have found is that the customer profiles for the companies 51Jobs, lagou, and Zhilian recruitment are being stored in the database. I believe that a third-party is aggregating the information from these companies and using them in some way,” Jain told BleepingComputer.
Recommendation - The security researcher Jain suggests using IP filtering, passwords, and VPNs to ensure that the data is not exposed online.