- Bewanted, a large European job seeker platform, has kept an online Google database
- The database contained more than 1.1 million records, mainly CVs and CVs
- Data belonged to people around the world and could now be at risk
A large European employment platform would have disclosed data sensitive to one million users, the researchers said
Cyberness revealed that his researchers discovered a unprotected Google Cloud (GCS) storage bucket belonging to Bewant, described as “one of the largest employment platforms in Europe”.
The bucket contained more than 1.1 million files, mainly CVs and curriculum vitae belonging to job seekers, people around the world, especially in Spain, Argentina, Guatemala, Honduras, etc.
No answer
That being said, anyone who could have found the database beforehand would get the full names of people, telephone numbers, email addresses, postal addresses, birth dates, national identification numbers, nationalities, birthplaces, links on social networks, professional history and school history.
This is more than enough information to perform phishing, identity or identity fraud attacks. Job offers are often the subject of phishing emails, and knowledge of the identity of people looking for a new position presents a unique opportunity for cybercriminals to create convincing phishing emails.
Thanks to these, they could deliver malware, steal connection identification information, enter the computer network of their current employers, etc.
Based in Madrid, Spain, with offices in Mexico, Germany and the United Kingdom, Bewanted is described as software as a service (SaaS) has enabled activities, connecting job seekers to potential employers.
Cybernews researchers said they tried to contact Bewant and bring the company to lock the database, but the company has never responded to any of their requests. Consequently, “the data remains accessible to the public,” they said.
The team discovered the unprotected GCS bucket in November 2024, so it has been very open on the internet for at least half a year now.
Anyone who knew where to look (using specialized search engines like, for example, Shodan) could have already found it. However, without forensic analysis, it is impossible to determine whether it has already happened or not.
