[BreachExchange] Ladders Data Leak: Over 13M User Records Exposed Due To Cloud Misconfiguration

Thu May 2 12:48:58 EDT 2019

https://www.ibtimes.com/ladders-data-leak-over-13m-user-records-exposed-due-cloud-misconfiguration-2789394

Popular job recruitment website Ladders, reportedly accidentally
exposed over 13 million user records. The data leaked contained
information such as users' names, addresses, email addresses, phone
numbers, employment histories, and more. The exposed records also
contained users' detailed employment descriptions, such as previous
jobs, current salaries, and the desired industry in which they are
hunting for jobs.

The data was stored in an Amazon Web Services (AWS)-hosted
Elasticsearch database without any password protection, Techcrunch
reported. The lack of password protection would have allowed anyone to
access the database, which reportedly contained several years' worth
of data. The leaked information also included the data of around
379,000 recruiters' personal data.

The leaky database was discovered by Sanyam Jain, a member of the
non-profit organization GDI Foundation, Techcrunch reported. The data
leak was confirmed by Ladders' founder and CEO Marc Cenedella.

  TOP ARTICLES2/5READ MOREWhy Prince Harry, Meghan MarkleStopped
Following Royal Family On Social Media

“AWS confirms that our AWS Managed Elastic Search is secure, and is
only accessible by Ladders employees at indicated IP addresses. We
will look into this potential theft, and would appreciate your
assistance in doing so,” Cenedella said in a statement, Techcrunch
reported.

Data leaks caused due to cloud misconfiguration have become
increasingly common over the past few years. Such leaks have led to
the exposure of millions of users' personal and sensitive information.
In most cases, such data leaks are caused due to human error –
forgetting to add a password to protect the cloud-based database.

It is unclear whether the data exposed by Ladders was accessed by any
unauthorized parties. It is also unknown as to how long the data was
exposed before it was discovered by Jain. Techcrunch reported that the
database was taken offline within an hour of it being reported to
Ladders.