Several gigabytes of data belonging to a global recruitment firm Michael Page were recently leaked online, according to a blog published by Troy Hunt.
The data contains information, including names, email addresses, encrypted passwords, cover letters, and job history of job applicants from around the world.
Although the leaked data is now destroyed, as per Troy Hunt's blog, we'll never know if it really was for sure. Other hackers may have secretly acquired access to this data as well and may plan to use it for evil purposes.
As per the information published by Hunt, the leaked MySQL data dump weighs more than 30GBs and contains unique email addresses of over 780,000 people, most of them being owned by job candidates.
Business Insider Australia revealed that the leak affected around 8 million user-records, out of which 713,000 were Australians.
Hunt believes that the multinational consulting and outsourcing firm, Capgemini, was responsible for this leak. A multinational consulting and outsourcing firm with over 180,000 people across 40 countries, Capgemini is partners and also the outsourcer of Michael Page.
According to Hunt, it was Capgemini's servers which had a vulnerability, which then led to the leakage of data. Yet, it is still unsure if the information was exposed intentionally.
As per reports, the customers of Michael Page received apologetic emails from the organization after the leak was revealed, explaining that there had been an unauthorized third-party access to its system and that the company was working with Capgemini to "fix" the problem.
Michael Page also wrote in the email that the affected do not have to change their passwords since they were in encrypted format.
— Lewis Forfar (@lewisforfar) November 10, 2016
In a statement, Michael Page revealed that Capgemini was alerted regarding the data leak on October 31. They further stated that the data of around 711,000 candidates from the UK, China, and the Netherlands were compromised in the leak.
"Due to the nature of the data, there is limited risk of fraudulent activity for those affected. We can also confirm that no other data has been compromised," Michael Page said.
"We requested that the third-party destroys all copies of the data and they have confirmed that they have already done so."
Hunt had previously exposed the Australian Red Cross data leak, which saw a 1.74GB MySQL database backup containing 1.3 million rows and 647 different tables being publicly available.
Hunt revealed that he was tipped off regarding the Michael Page data leak by the same individual who told him about the Red Cross leak. He also sent files to Hunt indicating that the leak was no hoax.
"It was a 362Mb compressed file which extracted out to 4.55GB. Assuming a similar compression ratio, the files in the directory listing above would total well over 30GB of raw data which is a very large set of data to leak publicly," Hunt wrote.
Leaks like these are incredibly beneficial to companies who sell contact details, like email addresses, etc. to their B2B clients. These companies like to take advantage of such hacks in order to update and refresh their data bases, so they have more information to sell to their customers.
Such leaks are incredibly unfortunate and could easily have been avoided if the concerned companies hadn't been so lazy earlier on. Vulnerabilities like these are common in websites around the world, but mega-corporations like the one involved should've have taken care to avoid this, as Troy Hunt himself stated;
"Ask yourself this: would these incidents be making news if they had people looking for these risks early on? I highly doubt it."