[BreachExchange] Applied for a job at Cisco? Your personal data and passwords could have been stolen

Audrey McNeil audrey at riskbasedsecurity.com
Tue Nov 8 19:27:08 EST 2016


https://www.hotforsecurity.com/blog/applied-for-a-job-at-
cisco-your-personal-data-and-passwords-could-have-been-stolen-17083.html

Sometimes the devil is in the details.

An incorrect setting could make the difference between your website being
insecure, or wide open for hackers to steal massive amounts of personal
data about the people using it.

Cisco has found itself in the uncomfortable position of admitting that the
mobile version of its Professional Careers website at
https://mjobs.cisco.com was leaking the personal details of job applicants.

Information exposed by the vulnerability included job seekers’ names,
usernames, passwords, email addresses, phone numbers, answers to security
questions, educational and professional details, cover letters and resumes
and other personal details.

In the hands of a social engineering-savvy criminal, such data could be a
goldmine – helping them to assume the identities of others to commit fraud.

In a security note (https://oag.ca.gov/system/files/%28US%29%20Data%
20Incident%20-%20Notice%20to%20Consumers_0.pdf) shared with the Office of
the Attorney General, Cisco explains that it became aware of the security
vulnerability after an unnamed researcher responsibly informed them of the
privacy hole. Apparently, it was the fault of an incorrect security setting
after system maintenance work was completed.

Unfortunately that configuration mistake left users’ data exposed between
August and September 2015, and again from July to August 2016.

To have one security mess-up might be considered unfortunate, to make the
same mistake again begins to look like carelessness…

Things are made even more serious by the fact that there is no mention from
Cisco of encryption or hashing when it comes to the passwords, suggesting
that if a criminal had managed to access the data – it should be child’s
play to exploit it.

Cisco says that it has now resolved the issue, and has enforced a password
reset for all users. Needless to say, if you do
use the Cisco Professional Careers website be sure that you are not reusing
the same password anywhere else on the internet.

Fortunately, there is no evidence that a criminal has accessed the
sensitive data – but Cisco has good reason for erring on the side of
caution:

"We do not believe that the information was accessed by anyone beyond the
researcher who found and reported the issue. However, there was an instance
of unexplained, anomalous connection to the server during that time, so we
are taking precautionary steps."

Cisco has told users that they can put 90-day fraud alerts on their
accounts if they wish.

Companies need to do a better job of taking the responsibility of securing
the details of their users (and, indeed, potential job seekers) seriously
or suffer the consequences. Ultimately, users will only have so much
patience with big companies which really should be doing a much better job
of ensuring that security holes don’t open up like this.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161108/fd0442ce/attachment.html>


More information about the BreachExchange mailing list