- Cybernews finds huge databse full of resumes and CVs
- It belongs to TalentHook
- The database apparently remains open to this day
Security researchers have discovered another large unprotected database which was leaking sensitive information to the general public.
Analysts fromCybernews found a misconfigured Azure Blob storage container available to anyone who knew where to look.
The archive contained almost 26 million files, and it was later determined that most of the files were resumes and CVs belonging to US citizens, including people’s full names, email addresses, phone numbers, education details, professional details, and employment history.
TalentHook in trouble
While it might not sound like much, the cache is a treasure trove for cybercriminals. Knowing these people are actively seeking new job opportunities, they can create fully customized, highly relevant phishing emails, successfully tricking people into downloading malware or sharing login credentials.
For example, the North Korean state-sponsored group Lazarus often targets job seekers on LinkedIn and elsewhere, sharing fake job description files which are nothing more than malware.
In some instances, they would have the victim jump through multiple job interview hoops, before asking for “trial work” which includes downloading malicious code.
Cybernews later determined that the archive belonged to TalentHook, a cloud-based applicant tracking system that connects HR departments with individuals seeking work.
Usually, when the researchers find unprotected databases such as this one, they notify the owners and get it locked down fast. However, in this instance, there was no confirmation that TalentHook actually barred access.
Instead, the Cybernews team shared advice with TalentHook, inviting the team to “change access controls to restrict public access and secure the container”. Therefore, it’s safe to assume that the database remains unlocked and available for all to find. The researchers also did not mention if someone found it already, but this is always a strong possibility.
At press time, there was no evidence of the data already being found and abused in the wild.
Leave a comment