Unsecured MongoDB archive exposed 202 Million private resumes

Pierluigi Paganini January 14, 2019

Security expert discovered an unprotected MongoDB archive that has exposed personal and professional details of more than 202 million people.

Security expert Bob Diachenko discovered an unprotected MongoDB archive that has exposed personal and professional details of more than 202 million people.

The huge trove of data belongs to job seekers in China, its records include personal information of individuals like names, height, weight, email IDs, marriage status, political leanings, skills and work experience, phone numbers, salary expectations, and driver licenses were exposed.

The MongoDB archive contains 854GB of data related to the last three years, it is the largest data leak incident of ever occurred in China.

MongoDB archive

“On December 28th, Bob Diachenko, Director of Cyber Risk Research at Hacken.io and bug bounty platform HackenProof, analyzed the data stream of BinaryEdge search engine and identified an open and unprotected MongoDB instance” reads the post published by Diachenko.

“Upon closer inspection, an 854 GB sized MongoDB database was left unattended, with no password/login authentication needed to view and access the details of what appeared to be more than 200 million very detailed resumes of Chinese job seekers.”

The expert discovered the origin of the data when one of its Twitter followers pointed to a GitHub repository

Data were collected by using a tool named “data-import” (created 3 years ago) that was scraping resumes from different Chinese classifieds, like bj.58.com.

58.com’s representative explained that the records were by their platform and confirmed that a third-party has created it.

At the time it is not clear how long such kind of data remained exposed online, Diachenko confirmed that the MongoDB log showed that the archive has been regularly accessed by someone, it included a dozen IPs.

The good news is that the database was secured just after the news of its discovery was published online.

“As of the date of this publication, there is no official confirmation on the data owner. We have already covered the issue of web scraping here: https://blog.hackenproof.com/industry-news/new-report-unknown-data-scraper-breach ” concludes Diachenko .

In September 2018, another huge archive containing data of 130 Million hotel chain guests was offered for sale on the dark web for around $56,000 at that time worth of Bitcoin.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – MongoDB archive, data leak)

[adrotate banner=”5″]

[adrotate banner="13"]



you might also like

leave a comment