Millions of personal and job records were exposed by a database without authentication measures
Network security researchers from the International Institute of Cyber Security have reported the discovery of an enormous online database that stored personal information of over 202 million Chinese citizens. According to reports, this information was available to anyone with no authentication needed.
The unprotected database, which contained more than 800 GB of information, was installed in a MongoDB implementation, a database oriented to work with cross-platform documents, hosted by an American server host company.
In total, the database contained 202,730,434 records with information of candidates for job vacancies in China. Among the compromised information the researcher could found:
- Full Names
- Dates of birth
- Phone numbers
- Email addresses
- Marriage status
- Professional experience
Bob Diachenko, network security expert, discovered this unprotected database a couple of weeks ago; the file was secured shortly after the investigator published the discovery through Twitter. However, Diachenko emphasizes that “at least ten different IP addresses got access to the database before it was secured”.
Although the source of these leaked data is still unknown, the network security expert believes that someone could have used a tool named “Data-Import” to extract specifically this kind of information from thousands of Chinese classified ads websites, such as the well-known bj.58.com. The researcher believes that this is highly probable because of the database’s format, which seems to match with the way the “Data-Import” tool works.
Diachenko affirms that he communicated with the admins of the bj.58.com website, who assure that the leaked data does not come from their web site, suggesting that the source could be some third party dedicated to collect information about jobseekers in China.
“We investigated throughout our database and now we can confirm that the leaked data sample was not in our systems”, the site admins mentioned.
This is not the first time that a MongoDB implementation is found exposed online. In recent years, multiple reports have appeared, reporting similar incidents.