Leaky database exposes job seekers to phishing attacks
A dataset belonging to an Italian job searching agency left the details of more than 100,000 people accessible to the public, the Cybernews research team has discovered. Malicious actors could use the information for harmful spear-phishing attacks.
A routine, open-source intelligence (OSINT) investigation led the team to a publicly accessible dataset with information on 106,902 sales agents and 2,418 companies listed on an Italian website catering to sales agents and companies looking for them.
Together with IP addresses, the dataset weighing in at 1.5GB includes a multitude of data submitted to job agencies, such as CVs, names, emails, phone numbers, work history, and regions of Italy where agents reside.
"The people who have been exposed by this information will be susceptible to social-engineering attacks, fraud, and other scams for a long time, and so will their companies,"Chris Hadnagy, CEO of Social-Engineer, an information security consulting firm, said.
Tuoagente, headquartered in Rome, operates an Italy-based service. At the time of the investigation, the company advertised collaborating with 106,902 sales agents. That’s the exact number of accessible profiles our team discovered – meaning all profiles on Tuoagente were exposed.
The team discovered the database due to an open instance of Elasticsearch, a popular search engine favored by enterprises dealing with constantly updated large volumes of data. The database our researchers discovered was hosted by OVH Hosting in Montreal, Canada.
The accessible dataset contained personal identifiable information (PII) and was accessible to anyone.
Of the accessible personal profiles, 40,136 had CVs attached, while 49,214 had a phone number included. All of the profiles included emails and names.
Since Italy is a member of the European Union, leaving PII accessible to virtually anyone on the internet may constitute a violation of the EU's General Data Protection Regulation (GDPR).
Cybernews reached out to Tuoagente to disclose the issue several times. After failing to get a response to emails, our team managed to contact the company via a live chat on its website. Representatives of the company have been notified of the open database and the instance has been closed.
PII leaks can have lasting effects on people whose data falls into the wrong hands. Threat actors could leverage collected information for “market research,” building a personal profile for later use in spear-phishing attacks, or to send other malicious emails.
According to Chris Hadnagy, CEO of Social-Engineer, an information security consulting and training firm, Tuoagente's profile information would allow threat actors to conduct convincing attacks against individuals whose information was left exposed.
“This information could be used in targeted social engineering attacks on company executives and lower-level employees that will allow the hacker to breach that business and steal valuable information, or commit wire fraud and other types of theft," Hadnagy told Cybernews.
Hadnagy explained that malicious actors could also sell PII on the dark web. Worryingly, once the data finds its way to the Dark Web, it will likely stay there for some time as identity theft forums thrive on this type of data.
"The people who have been exposed by this information will be susceptible to social-engineering attacks, fraud, and other scams for a long time, and so will their companies," Hadnagy said.
"This is textbook information for a cybercriminal to use in targeted social-engineering attacks that could compromise a significant range of businesses,"Chris Pierson, the CEO of BlackCloak, a cybersecurity and online privacy protection company, said.
According to Chris Pierson, the CEO of BlackCloak, a cybersecurity and online privacy protection company, threat actors could leverage the profile data to fuel business email compromise (BEC) scams that target the person's company or the companies they work with.
"In fact, BEC can also be effective when criminals merely spoof the executive's email account or create a similar-looking email to phish other employees or business acquaintances and utilize personal information that only the impersonated executive would know," Pierson explained Cybernews.
Threat actors can impersonate acquaintances or masquerade as service providers that potential victims trust. Access to a dataset such as the one our team uncovered would allow an attacker to easily take up the role of a former or prospective employer to trick a victim into clicking on a malicious email.
"This is textbook information for a cybercriminal to use in targeted social-engineering attacks that could compromise a significant range of businesses," Pierson said.
Both experts we've discussed the Tuoagente case with were convinced that if the data was leaked, it would increase the chances of spear-phishing attacks against the individuals whose data the company was storing.
"While a cynic might say that some of the information exposed in this breach may already have been available through public social media profiles (like LinkedIn) or data brokers, it's important to realize that whenever you have a breach where a lot of PII is exposed at once, that makes it easier for a criminal to act," Pierson said.
According to a report from CLUSIT, the Italian Association for Information Security, phishing scams account for 15% of the nation's total cyberattacks.
More from Cybernews:
Subscribe to our newsletter