Unprotected MongoDB leaks 202 million Chinese job seekers ‘ summaries

Unprotected MongoDB leaks

China is often suspected of sponsoring hack attacks on U.S. and European organizations and agencies. This time around China itself, however, has been the victim of a security violation. An unprotected MongoDB has reportedly revealed personal and professional information to more than 202 million people.

Security researcher Bob Diachenko of HackenProof discovered that he summarizes files of job seekers in China that contain personal details such as names, height, and weight, email IDs, marriage status, political leanings, skills and work experience, telephone numbers, wage expectations and driver’s licences. The data belonged to the last three years and the reason for its exposure is that it was stored in a unsafe and unprotected database in MongoDB.

Unprotected MongoDB leaks summaries of 202 M Chinese job seekers. The exposed database contained 854 GB of data, which Diachenko claims must have been removed from a “data-import” tool. Diachenko could not identify any specific service related to the database, but found a 3-year-old GitHub repository for an application. The application contained nearly “identical structural patterns” that were resumed in the exposed.

Data are apparently removed from Chinese classified services such as 58.com. On the other hand, the representative of 58.com rejected the creation of the record by the service and suggested the involvement of a third party who searched different CV websites to create the database. It should be noted that since the database was not protected by an ID and password, it could have been accessed by anyone without entering any login credentials. It is very worrying that the database now secured was exposed to the public not for a few days or months, but for three long years.

Unprotected MongoDB: Another database exposes personal data of 66 M users Diachenko also evaluated that the data was accessed regularly, but by whom it is not yet clear. What is known so far is that it is the one-of-its-kind and the biggest exposure to databases in China to date. Shortly after my Twitter notification, the database was secured. It should be noted that the MongoDB log showed at least a dozen IPs that could have accessed the data before it was taken offline, revealed Diachenko.

This is not the first time that millions of Chinese people have been breached in their privacy. In September last year, hackers were found to sell 130 million Chinese hotel customers on the Dark Web for 8 BTC, which at that time amounted to about US$ 56 000.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.