200 million resumes of Chinese jobseekers leaked, cybersecurity researcher says

Zheping Huang
200 million resumes of Chinese jobseekers leaked, cybersecurity researcher says

A mega database with more than 200 million resumes of Chinese jobseekers has been leaked in one of the biggest China-related data exposures ever, according to European bug bounty platform HackenProof.

Bob Diachenko, a Ukraine-based security researcher with HackenProof, on December 28 found an open, unprotected database server containing detailed CVs from over 202 million Chinese users, he said in a post published this week. The resumes included sensitive information, from names to mobile numbers to marriage status to political affiliation.

The US-based database has a size of 854 GB, and 202,730,434 records in total, according to Diachenko, giving screenshots of his findings via two data search engines.

Four security researchers contacted by the Post said the data leak described by Diachenko sounded plausible.

“It's like someone leaving their phone out in the public with no passwords protected,” said Jane Wong, a tech blogger who has a history of uncovering hidden features in big internet platforms such as Facebook and Instagram.

Diachenko said the database in question was open to the public from December 23-28, but was taken offline soon after he first reported the case on Twitter. At least a dozen IP addresses have downloaded the data.

‘This must stop’: China accused of ‘huge hacks to steal trade secrets’

An online scraping tool – the source code of which Diachenko found on the GitHub code-sharing site – was most likely used to extract the data from Chinese job portals, including leading player 58.com, according to the post.

“It is unknown, whether it was an official application or illegal one used to collect all the applicants’ details, even those labelled as ‘private’,” Diachenko said in the post.

In response to Diachenko’s query, the security team of 58.com denied that the data was leaked from their server but acknowledged that they were likely from a third-party scraper.

“We don’t have any resumes leaked from our platform,” a staffer with 58.com’s user complaints department said in a phone call on Friday. “Resumes are only available for third parties if users set them as public.”

58.com’s security team didn’t immediately respond to an emailed request for comment.

This would not be the first major leak of Chinese user data. In August, detailed information of 130 million clients of a Shanghai-based hotel operator went up for sale on the dark web for 8 bitcoin. In May, tens of thousands of users has their data leaked from food-delivery app Meituan.

A look back at the tumultuous year in China tech

Chinese laws ban illegal sales or publication of personal information, but there has yet to be any clear liability for government bodies. Lawmakers are calling for a specific bill to protect data privacy. In Europe, the new General Data Protection Regulation (GDPR), which came into effect in May, covers all businesses that deal with EU citizens’ data.

Data scraping, despite permission from individual users, can be illegal, if the information is used in any way that goes against the best interests of the owner, security experts said.

“Cybercriminals can use that private information to steal your identity and make financial transactions in your name,” Diachenko said in a Signal message.

Huo Ju, a Canadian-based security researcher, indicated the data trove from the 200 million job applicants could be used against them if someone had the skills to delve into their social relations by comparing education, companies and other experiences.

“Many non-tech savvy scammers would struggle to find out those relations without a database like this,” Huo said. “Everyone should understand this: you think it’s just a resume, but it can be used for other purposes.

This article 200 million resumes of Chinese jobseekers leaked, cybersecurity researcher says first appeared on South China Morning Post

For the latest news from the South China Morning Post download our mobile app. Copyright 2019.