A Singaporean remote hiring platform left a large database unprotected on the internet, accessible to anyone who knew where to look. Since the database contained plenty of sensitive information, the company has inadvertently placed hundreds of thousands of people at risk of data theft, identity theft, phishing, fraud, and more.
The Cybernews research team discovered a misconfigured Amazon AWS S3 bucket in early August 2024 said to contain more than 280,000 files, including CVs and resumes.
Further investigation attributed the database to Snaphunt, an online hiring platform that connects employers with job seekers. Although it’s based in Singapore, the company is global, and thus most likely holds sensitive information on people around the world. It offers features like pre-screening, skills assessments, and remote hiring tools.
Social engineering
The archive contained information generated between 2018 and 2023, including people’s full names, phone numbers, email addresses, places of birth, nationality, date of birth, social media links, employment history, and educational background.
“The potential for social engineering attacks is elevated, as attackers can impersonate fake recruitment agencies or leverage the leaked data to infiltrate professional networks, spreading malware or extracting further confidential information,” Cybernews explained.
Job-related scams are nothing new – just this week, news broke that a company got hacked after hiring a North Korean hacker who faked their entire identity. The unnamed firm lost sensitive data and was demanded a six-figure ransom payment in exchange.
Unprotected databases remain one of the most common causes of data leaks. Many organizations, including some of the world’s biggest enterprises, were found operating internet-accessible archives with no password protection, putting many of their customers at risk.
Most of the time, the vulnerability is nothing more than an honest employee mistake.