Contents:
On December 12, 2022, cybersecurity experts discovered a publicly accessible database containing 260GB of sensitive personal data from myrocket. co, which provides end-to-end recruitment solutions and HR services to Indian businesses.
Nearly 200,000 employees and almost nine million job seekers are estimated to have been impacted by the data leak.
The researchers warn that such data leaks can assist threat actors in crafting targeted phishing campaigns, aid in forgery and identity theft, and trick companies into sending payments.
The company said the issue was caused by a misconfiguration and fixed the issue upon notification.
A Vast Collection of Data Exposed
Because the database was not authenticated, millions of private documents were exposed to the public due to the security loophole. Worryingly, threat actors could also modify the data, changing salary amounts and bank account details.
It identified 435,000 payslips, 300 tax filings, 3,800 insurance payment documents, and 21,000 salary sheets from companies using the HR platform.
Employees’ names, taxpayer information, personal identification numbers, emails, phone numbers, bank details, parent names, dates of birth, salaries, employee roles, insurance, tax information, work contracts, addresses, and even photocopies of personal documents such as driving licenses or voter IDs were all included in the database.
It was also possible for researchers to access data on around nine million job candidates, including insecurely hashed emails, phone numbers, names, and addresses, as well as automatically generated resumes.
Researchers explain that incidents like this are usually caused by misconfigurations and a lack of proper access controls while monitoring sensitive infrastructure. As a result, the issue could have been detected sooner and resolved if the company had observed its infrastructure.
In addition, sensitive information should be stored on servers that accept connections only from trusted IP addresses to protect sensitive data. Finally, according to researchers, separate accounts should be set up for each employee who needs access to the data.
The Company’s Response
The company’s representatives stated that a newly created Kibana instance was incorrectly configured, resulting in the vulnerability. The company claims to have begun an internal investigation to ensure the safety of user data.
Rocket was recently acquired [Dutch-owned OLX bought it back in 2019], and enforcement of parent company standards is in progress, along with architectural corrections. The parent company follows the highest levels of data safety standards, with its tech teams conducting vulnerability assessments with every release and periodically monthly.
Here’s How to Protect Yourself
Suppose you have worked at the company or used myrocket. co in your job search, you should review the sensitive information carefully.
Personal documents were exposed in the leaked database, so victims should contact the government departments responsible for issuing the specific documents. They should request that these documents be invalidated and that new ones be issued.
- Opening a new bank account or monitoring account activity and being cautious about incoming transactions is wise.
- Users should also change their phone numbers or take additional steps to secure the leaked number. However, they should contact their phone service provider and request additional identity verification before making any changes.
- Make sure you use two-factor authentication (2FA).
- You should also monitor tax and insurance accounts related to the leak.
The names, job roles, salaries, dates of birth, home addresses, work contracts, and insurance status of the leaked employees cannot be mitigated much.
Users should be careful when receiving messages, especially those containing leaked information, as threat actors can use this information to launch phishing attacks.
Whenever you receive suspicious emails, do not click any links, and verify any information via trusted sources before acting.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.