Millions of personal and job records were exposed by a database without authentication measures
Network security researchers from the
International Institute of Cyber Security have reported the discovery of an
enormous online database that stored personal information of over 202 million
Chinese citizens. According to reports, this information was available to
anyone with no authentication needed.
The unprotected database, which contained more
than 800 GB of information, was installed in a MongoDB
implementation, a database oriented to work with cross-platform documents, hosted
by an American server host company.
In total, the database contained 202,730,434
records with information of candidates for job vacancies in China. Among the
compromised information the researcher could found:
- Full
Names - Dates
of birth - Phone
numbers - Email
addresses - Marriage
status - Professional
experience
Bob Diachenko, network security expert, discovered this unprotected database a couple of weeks ago; the
file was secured shortly after the investigator published the discovery through
Twitter. However, Diachenko emphasizes that “at least ten different IP
addresses got access to the database before it was secured”.
Although the source of these leaked data is
still unknown, the network security expert believes that someone could have
used a tool named “Data-Import” to extract specifically this kind of
information from thousands of Chinese classified ads websites, such as the
well-known bj.58.com. The researcher believes that this is highly probable
because of the database’s format, which seems to match with the way the
“Data-Import” tool works.
Diachenko affirms that he communicated with the
admins of the bj.58.com website, who assure that the leaked data does not come
from their web site, suggesting that the source could be some third party
dedicated to collect information about jobseekers in China.
“We investigated throughout our database and now
we can confirm that the leaked data sample was not in our systems”, the site
admins mentioned.
This is not the first time that a MongoDB
implementation is found exposed online. In recent years, multiple reports have
appeared, reporting similar incidents.
