A security researcher has uncovered a publicly exposed MongoDB instance that includes the resumes of 202 million Chinese nationals, but in a new twist, it’s unknown who owns the database.

Discovered by Bob Diachenko of Hacken in late December, the MongoDB instance included 854.8 gigabytes of data with no password/login authentication needed to view and access the details of more than 200 million detailed resumes of Chinese job seekers.

The data is said to include personal information such as mobile phone numbers, emails, marriage details, children, politics, height, weight, driver’s license details, literacy levels, salary expectations and more.

A drill-down of the data later posted on the Hackenproof blog suggested that the data may have been illegally gathered by scrapping data from different Chinese classified sites such as bj.58.com.

Despite the source of the data remaining unknown, the MongoDB instance has since been secured.

“As instances like this have become more commonplace, organizations should recognize the importance of properly securing any third-party database servers, and take the necessary steps to encrypt data to ensure that it is unusable for malicious purposes should it fall into the wrong hands,” Eric Murray, security architect at Zettaset Inc., told SiliconANGLE. “In this specific case, it’s generally surprising that the resume sites aren’t using rate limiting to prevent data scraping tools from swooping up sensitive user information. Hopefully, this trend we’re seeing with exposed servers shines a light on the significant need for more effective security within them.”

Rod Soto, director of security research at JASK Inc., noted that incidents like this where a known vulnerable product is exploited raises the question of whether software developers should be mandated to introduce automatic patching of their code.

“This general process is already in use today, with operating systems and some web applications where updates are automatic, thus reducing the attack surface of these known-to-be-vulnerable apps that are deployed across the internet,” Soto explained.

Soto also noted that forcing updates or patches usually has unintended consequences. “However, due to the amount of breaches like this and related criminal activity that comes with them, it is time to weigh the pros and cons of leaving these products unpatched and exposed versus patching and securing them and dealing with the collateral effects,” he said.

Photo: US Air Force