China is often suspected to sponsor hack attacks against organizations and agencies in the US or Europe. However, this time around China itself has become a victim of a security breach. Reportedly, an unprotected MongoDB has exposed personal and professional details of more than 202 million people.
HackenProof’s security researcher Bob Diachenko discovered that resume files of job seekers in China that included personal details like names, height, weight, email IDs, marriage status, political leanings, skills and work experience, phone numbers, salary expectations, and driver licenses were exposed. The data belonged to the last three years and the reason behind its exposure is that it was stored in an unsecure and unprotected MongoDB database.
The exposed database contained 854GB of data, which Diachenko claims must have been scraped from a tool called “data-import.”
“It is unknown whether it was an official application [of the tool] or illegal one used to collect all the applicants’ details, even those labeled as ‘private,’” Diachenko wrote.
Diachenko couldn’t identify any specific service associated with the database but he did discover a 3-year old repository on GitHub for an app. The app contained almost “identical structural patterns” as were part of the exposed resumed. Apparently, the data is scraped from Chinese classified services like 58.com.
On the other hand, 58.com’s representative rejected that the service was responsible for creating the record and hinted on the involvement of a third-party that searched various CV websites to create the database.
It must be noted that since the database wasn’t protected with an ID and password, anyone could have accessed it without entering any login credentials. It is quite concerning that the now secured database was exposed to the public not for a few days or months but three long years.
Unprotected MongoDB: Another database exposes personal data of 66M users
Diachenko also assessed that the data has been accessed on a regular basis, but by who it isn’t clear as yet. What’s known so far is that it is one-of-its-kind and the largest database exposure incident in China till date.
Shortly after my notification on Twitter, the database had been secured. It’s worth noting that MongoDB log showed at least a dozen IPs who might have accessed the data before it was taken offline, Diachenko revealed.
This is not the first time when the privacy of millions of Chinese citizens has been breached. In September last year, hackers were found selling data of 130 million Chinese hotel clients on Dark Web for 8 BTC which was around US$56,000 at that time.