- Cybergenws find huge data drunk full of resume and resume
- It belongs to talenthook
- The database apparently remains open today
Security researchers have discovered another large unprotected database that leaked sensitive information to the public.
Analysts fromCygenerws Found an incorrectly configured Azure cluster storage container available to anyone who knew where to look.
The archive contained nearly 26 million files, and it was later decided that most of the files were CVs and CVs belonging to American citizens, including people’s full names, E email addresses, telephone numbers, educational details, professional details and employment history.
Talenthook in trouble
While it may not sound like much, the cache is a treasure chest for cyber criminals. Knowing these people actively looking for new job opportunities, they can create fully customized, very relevant phishing -e emails, successfully fool people to download malware or share login credentials.
For example, the North Korean state -sponsored group of Lazarus is often targeted at job seekers on LinkedIn and other places where they share false job description files that are nothing but malware.
In some cases, they would get the victim to jump through multiple job interview braces before asking for “trial”, which includes downloading malicious code.
Cybergenws later decided that the archive belonged to Talenthook, a cloud-based applicant’s tracking system that connects HR departments with individuals looking for work.
Usually, when the researchers find unprotected databases like this, they inform the owners and get it fixed quickly. In this case, however, there was no confirmation that Talenthook actually prevented access.
Instead Cygenerws Team shared advice with Talenthook and invited the team to “change access controls to limit public access and secure the container”. Therefore, it is safe to assume that the database remains unlocked and accessible to everyone to find. The researchers also did not mention if anyone already found it, but this is always a strong option.
At the time of the press, there was no evidence that the data that was already found and abused in nature.
