Unsecured MongoDB Database Leaked 200 Million Private Resumes Of Chinese Jobseekers

10/01/2019

Bob Diachenko, the Director of Cyber Risk Research at Hacken.io and bug bounty platform HackenProof have published a report stating that a database containing resumes of over 200 million job seekers in China was exposed in December 2018.

Besides information about working experiences of those people, the leaked information also included more sensitive data, such as email addresses, mobile phone numbers, marriage status, number of children, politics, height, weight, driver license, literacy level, salary expectations and more.

The data was said to be leaked due to an unprotected instance of MongoDB containing those resumes.

Diachenko discovered the resumes when he browsed the open database search engines Shodan and BinaryEdge. Upon closer inspection, he realized that the database didn’t have any password protection and was available for anyone to open.

It was speculated that the data was leaked from a third-party who scraped data from many CV websites.

MongoDB database leak exposed 200 million sensitive information
The unsecured MongoDB database was open for everyone to open

In cases like this, it should be easy to contact the owner of the database, telling him/her to secure the information. However, this leaked database does not have a clear owner.

"The origin of the data remained unknown until one of my Twitter followers pointed to a GitHub repository which contained a web app source code with identical structural patterns as those used in the exposed resumes," explained Diachenko.

"The tool named 'data-import' seems to have been created to scrape data (resumes) from different Chinese classifieds, like BJ.58.com and others."

But after contacting the security team of BJ.58.com, they did not confirm that the data originated from their source.

This isn't the first major leak of Chinese user data.

Previously, in August 2018, personal information of 130 million clients of a Shanghai-based hotel operator were on sale on the dark web for 8 Bitcoins. Then in May, tens of thousands of users has their data leaked from food-delivery app Meituan.

While the laws in China forbid the sales or publication of personal information, there has yet to be any clear liability for government bodies. Unlike in Europe where the General Data Protection Regulation (GDPR) covers all businesses that deal with EU citizens’ data.

The leaked US-based database has a size of 854 GB, and 202,730,434 records in total, according to Diachenko. He also said that the database in question was open to the public from December 23-28, but was taken offline soon after he first reported the case on Twitter.

He continued explaining that a MangoDB log showed at least a dozen IP addresses that have opened the database before it was taken down.

This massive database leak would be considered as one of the biggest China-related data exposures ever, according HackenProof.

According to Trend Micro, misconfigured security settings are likely to continue exposing sensitive information, especially as more of companies are migrating their data systems to the cloud.