Credit: The original article is published here.
- Xobin left a database publicly exposed online for at least three months
- The database was filled with the PII of over 500,000 job applicants
- Identification documents and passports were included in the files
Days after a database containing the personally identifiable information (PII) of millions of jobseekers was uncovered, another half million may have been exposed by a different company.
The unprotected files were found by Cybernews researchers, and contain the PII of over 500,000 job applicants, including resumes, scans of passports, and copies of identification documents.
The files were left exposed by AI-powered HR tech company Xobin, and despite numerous alerts to the public database, remained open and accessible for almost three months.
Xobin responsible for some big names
The researchers say Xobin counts Toyota, Ericsson, the University of Toronto, and Domino’s as some of its clients, among many other companies and organizations.
It isn’t known how long the database was left exposed before discovery, but Cybernews first discovered the database on August 5 and issued an immediate alert, with the database only being taken down on November 4.
The files were stored in a misconfigured Google Cloud Storage bucket. In total, 18,000 CSV and XLSX files were uncovered which included the job applications of 523,074 people, with each application including full names, phone numbers, and email addresses.
Moreover, 3,129 copies of passports and IDs with Permanent Account Numbers – the Indian equivalent of US social security numbers.
18,629 resumes were found, each containing further details on each applicant. If the database was accessed by malicious actors, it could be used along with other PII for social engineering, spearphishing attacks, extortion, financial fraud, and account takeover, particularly if an individual is known to be seeking or earning a high wage.
“You can name all the cyber threats: identity theft, spear phishing, doxxing, social engineering, and many other forms of fraud. The leaked personal information includes sensitive details, and job seekers are particularly vulnerable. Scammers can impersonate legitimate recruiting agencies, offer enticing fraudulent jobs, and perform other targeted fraudulent activities leading to potentially devastating financial and personal repercussions,” Cybernews researchers said.