2 min

Tags in this article

, , ,

A security researcher named Bob Diachenko of Hacken.io has found a publically insightful MongoDB instance with the CV’s of 202 million Chinese. It’s unclear who owns the database, reports Silicon Angle.

The database was discovered at the end of December and contains 864.8 GB of data. No password or other form of login is required to view the details of over 200 million detailed CVs. The data would include personal information such as mobile phone numbers, emails, children, salary expectations and driving licence details.

The data may have been collected illegally by scraping data from various Chinese job boards, such as bj.58.com. Although the source of the data is unknown, the instance is now secure.

“As instances like this become more common, organizations need to understand the importance of properly securing third-party database servers and take the necessary steps to encrypt data so that it cannot be used for malicious purposes if it falls into the wrong hands,” said Eric Murray, security architect at Zettaset.

“In this particular case, it is surprising that the CV websites do not use rate limiting to prevent data scraping tools from collecting sensitive user information. Hopefully this trend with public servers shows that there is a significant need for effective security.”

Mandatory patches

Rod Soto, director of security research at JASK, states that incidents like this, where a known vulnerable product is abused, raise the question of whether software developers should be required to introduce automated patching of their code. Soto indicates that this general process is already being used with operating systems and a number of web applications. As a result, the attack area of these well-known vulnerable apps on the Internet is reduced.

Soto also points out that offering updates and patches by force often has unintended consequences. “But given the number of breaches like this and the related criminal activity that goes with it, it is time to weigh up the pros and cons of not patching and keeping these products vulnerable against patching and securing the products and dealing with the associated effects.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.