- Cybernews finds a huge data full of curriculum vitae and CVs
- It belongs to Talenthook
- The database is apparently open to date
Security researchers have discovered another large unprotected database fleeing sensitive information to the general public.
Analysts ofCyberness I found a blob azure storage container poorly configured at the disposal of all those who knew where to look.
The archives contained nearly 26 million files, and it was later determined that most of the files were CVs and CVs belonging to American citizens, including the full names of people, email addresses, telephone numbers, details of education, professional details and professional history.
Talenthook in difficulty
Although it may not seem much, the cache is a treasure for cybercriminals. Knowing that these people are actively looking for new job opportunities, they can create fully personalized and very relevant phishing emails, encourage people to download malware or to share connection identification information.
For example, the North Korean group sponsored by the Lazarus State often targets job seekers on Linkedin and elsewhere, sharing false work description files which are nothing more than malware.
In some cases, they would blow up the victim through several job maintenance hoops, before asking for “test work” which includes the download of the malicious code.
CYBERNEWS later determined that the archives belonged to Talenthook, a candidates monitoring system based on the cloud that connects HR services to people looking for work.
Usually, when researchers find unprotected databases such as the latter, they inform the owners and have it locked up quickly. However, in this case, there was no confirmation that Talenthook really prohibited access.
Instead, the Cyberness The team shared advice with Talenthook, inviting the team to “modify access controls to restrict public access and secure the container”. Therefore, it is sure to assume that the database remains unlocked and available so that everyone can find. The researchers also did not mention if someone has already found it, but it is always a strong possibility.
At the time of the press, there was no evidence that the data was already found and abused in the wild.
