An unprotected database made it possible for anyone on the internet to view the personal and employment information of 13.7 million users.
Security researcher and Sanyam Jain, member of the GDI Foundation, discovered the database and decided it was owned by Ladders, a New York-based job recruitment site specializing in high-quality jobs. Jain then shares his findings with TechCrunch.
When analyzing the database, TechCrunch discovered that the database consisted of 13.7 million data records. Each of these files contained several pieces of personal information, including a person's name, e-mail address, mailing address, telephone number, and IP address. Each record also contained a person's personnel data, including their employer's history, security clearances and, in some cases, detailed job descriptions from previous work dating back a few years.
The database, an Amazon-hosted Elasticsearch asset that lacked a password at the time of discovery, also uncovered the less sensitive details of 379,000 job recruiters.
TechCrunch then undertook to verify the information in the database. It did this by contacting more than a dozen users of the site. Several of those people confirmed that the information was correct, while someone even said that they had stopped using ladders after they became aware of the data breach.
TechCrunch also grabbed Ladder about the security incident. The recruitment site reacted in less than an hour by pulling the database offline.
Marc Cenedella, chief executive of Ladders, explained to TechCrunch that the company is currently assessing the impact of this violation:
AWS confirms that our AWS Managed Elastic Search is secure and is only accessible to Ladders employees at specified IP addresses. We will investigate this potential theft and would appreciate your assistance.
News of the incident follows less than a month after Jain, together with security experts, Devin Stokes and Bob Diachenko discovered several exposed servers owned by Chinese recruitment agencies.