SECURITY
SECURITY
SECURITY
Unprotected MongoDB instance exposes resumes of 202 million Chinese nationals
A security researcher has uncovered a publicly exposed MongoDB instance that includes the resumes of 202 million Chinese nationals, but in a new twist, it’s unknown who owns the database.
Discovered by Bob Diachenko of Hacken in late December, the MongoDB instance included 854.8 gigabytes of data with no password/login authentication needed to view and access the details of more than 200 million detailed resumes of Chinese job seekers.
The data is said to include personal information such as mobile phone numbers, emails, marriage details, children, politics, height, weight, driver’s license details, literacy levels, salary expectations and more.
A drill-down of the data later posted on the Hackenproof blog suggested that the data may have been illegally gathered by scrapping data from different Chinese classified sites such as bj.58.com.
Despite the source of the data remaining unknown, the MongoDB instance has since been secured.
“As instances like this have become more commonplace, organizations should recognize the importance of properly securing any third-party database servers, and take the necessary steps to encrypt data to ensure that it is unusable for malicious purposes should it fall into the wrong hands,” Eric Murray, security architect at Zettaset Inc., told SiliconANGLE. “In this specific case, it’s generally surprising that the resume sites aren’t using rate limiting to prevent data scraping tools from swooping up sensitive user information. Hopefully, this trend we’re seeing with exposed servers shines a light on the significant need for more effective security within them.”
Rod Soto, director of security research at JASK Inc., noted that incidents like this where a known vulnerable product is exploited raises the question of whether software developers should be mandated to introduce automatic patching of their code.
“This general process is already in use today, with operating systems and some web applications where updates are automatic, thus reducing the attack surface of these known-to-be-vulnerable apps that are deployed across the internet,” Soto explained.
Soto also noted that forcing updates or patches usually has unintended consequences. “However, due to the amount of breaches like this and related criminal activity that comes with them, it is time to weigh the pros and cons of leaving these products unpatched and exposed versus patching and securing them and dealing with the collateral effects,” he said.
Photo: US Air Force
A message from John Furrier, co-founder of SiliconANGLE:
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
