Unprotected ElasticSearch database exposed 33 million Chinese job seekers’ resumes

• The open database is 57GB sized and contains almost 33 million job seekers’ profiles who have uploaded their resume to job recruitment sites in China.
• The security researcher was unable to determine the owner of the database, however, he could find references to several Chinese job recruitment companies such as 51Jobs, lagou, and Zhilian.

What is the issue - A security researcher and a member of GDI.Foundation, Sanyam Jain uncovered an unprotected ElasticSearch database on Match 10, 2019, that was publicly accessible without any authentication.

Why it matters - The open database is 57GB in size and contains almost 33 million job seekers’ profiles who have uploaded their resume to job recruitment sites in China.

“Around 33 Million Job profiles were found online of three Chinese companies and is on a live database. All were big and established. How it can happen. How Chinese companies can put their people data online with their current location. #cywar2stop,” Jain tweeted.

What was exposed?

The exposed information includes job seekers’ personal information such as names, genders, dates of birth, phone numbers, email addresses, home addresses, marital statuses, educational details such as school names, degree, and professional details such as job designation, employer names, salary.

The big picture

• Upon discovering the unsecured database, the security researcher attempted to determine the owner of the database in order to alert the owner and help them secure the database.
• Jain was unable to determine the owner of the database, however, he could find references to several Chinese job recruitment companies such as 51Jobs, lagou, and Zhilian.

“During the initial investigation what I have found is that the customer profiles for the companies 51Jobs, lagou, and Zhilian recruitment are being stored in the database. I believe that a third-party is aggregating the information from these companies and using them in some way,” Jain told BleepingComputer.

• Later, Jain notified the China Cyber emergency response team ( CNCERT) about the leaky database on March 11, 2019.
• CNCERT responded to him stating that they have identified the owner of the IP as ‘北京机到网络科技有限公司’ (which translates to 'Beijing Machine to Network Technology Co., Ltd' as per Google Translate) and have alerted them to secure the database.
• On March 13, 2019, the security researcher was notified that the database has been secured.

Recommendation - The security researcher Jain suggests using IP filtering, passwords, and VPNs to ensure that the data is not exposed online.