Breach, Data Security, Network Security, Security Strategy, Plan, Budget

Chinese HR firms and recruiting agencies found to leak more than half a billion resumes

Chinese companies were discovered leaking more than half a billion resumes on the web via poorly secured ElasticSearch and MongoDB databases.

The leaks occurred solely at Chinese firms over the last few months from Chinese human resource-focused companies in batches ranging from a handful of CVs to professional executive head-hunting firms all leaking customer details many of which were discovered by independent security researcher Sanyam Jain, according to ZDNet.

Tripwire researchers noted that despite employment information being available on LinkedIn and other social networking sites this information is still more sensitive than what one could typically find online.

“The difference is, of course, that resumes shared with recruitment agencies and head hunters contain much more personal information than that which you’re likely to share with a site like LinkedIn,” independent cybersecurity researcher Graham Clueley said in an April 4 Tripwire blog post.

“For instance, when you feel like you are only sharing your details with a human resources agency, you are much more likely to submit details such as your personal home address, your precise data of birth your salary requirements and so forth.”

Jains findings included an ElasticSearch server containing resumes for 33 million applicants, an ElasticSearch server containing 84.8 million resumes, and an ElasticSearch database containing 93 million resumes, all within a week in March.

Researchers also found a server containing nine million resumes, a server cluster containing over 129 resumes, an ElasticSearch server hosting 180,000 resumes, another that exposed only 17,000 resumes and several other exposed servers containing millions more records.  

Some of the exposed servers have been taken down, such as one discovered by Security Discovery’s BoB Diachenko on April 2, which contained 20.5 million records, however other databases remain exposed.

In addition to exposed resumes, researchers also found full profiles on each user with information including their current jobs, recent conversations between recruiters and executives, training sessions and even companies that had signed up to use head hunting firms services and had hired executives with the firm’s help.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.