While shopping for new career opportunities can be fun, losing your personal details in the process is definitely not. This was worth bearing in mind when the research team at Cybernews discovered an exposed GCS bucket with over 1.1 million files, owned by a talent pool platform, beWanted.
Headquartered in Madrid, Spain, the company describes itself as “the largest Talent Pool ecosystem in the world.” beWanted is a software-as-a-service (SaaS) enabled business, connecting job seekers with potential employers. The company has offices in Mexico, Germany, and the UK.
The team discovered the exposed instance last November, yet despite numerous attempts to contact beWanted, the data remains publicly accessible.
Cybernews have reached out to the company for an official comment, but are yet to receive a reply.
What data from beWanted was leaked?
According to the researchers, the vast majority of the files from over a million leaked are job seekers’ CVs and resumes. The leaked data includes details that a person looking for a new job would typically include, such as:
- Full names and surnames
- Phone numbers
- Email addresses
- Home addresses
- Dates of birth
- National ID numbers
- Nationalities
- Places of birth
- Social media links
- Employment history
- Educational background
The team believes that a data leak involving over a million files, with each one likely representing a single person, represents a critical security incident for beWanted. Having the data exposed for at least six months makes it even worse: malicious actors continue to scour the web for unprotected instances, downloading anything they can get their hands on.
“This exposure creates multiple attack vectors, enabling cybercriminals to engage in identity theft, where personal information can be used to create synthetic identities or fraudulent accounts,” researchers said.
Malicious actors can also utilise leaked information for highly personalised and credibly looking phishing attempts that could lead to unauthorised access to financial accounts, credentials, or additional sensitive data.
The team also commented: “The leak increases the potential for social engineering attacks, as attackers can impersonate fake recruitment agencies or leverage the leaked data to infiltrate professional networks, spreading malware or extracting further confidential information.”
Moreover, the leaked details revealed that the scope of the problem is global. For example, the leaked national ID numbers come from citizens of Spain, Argentina, Guatemala, Honduras, and other countries.
To mitigate the issue and avoid similar problems in the future, the team advises to:
- Restrict Public Access. Remove any public permissions on the bucket. Enable Public Access Prevention to ensure the bucket is not accessible by unauthorised users.
- Implement Access Controls. Assign permissions only to authorized users and services based on their specific needs. Follow the Principle of Least Privilege to minimize access.
- Monitor Access Activity. Enable Cloud Audit Logs to track all access to the bucket. Configure alerts through Cloud Monitoring to detect and respond to suspicious activity.
- Enable Data Encryption. Activate server-side encryption to protect data at rest. Utilize Google Cloud Key Management Service (KMS) for secure key management.
- Enforce Secure Data Transmission. Require the use of SSL/TLS for all data transfers to and from the bucket. Block any non-secure (HTTP) connections.
- Adopt Security Best Practices: Conduct regular security audits and reviews of permissions and configurations. Use Google Cloud Security Command Center for automated security assessments.
