200 Million Chinese Resumes Leak In Huge Database Breach

According to a report from HackenProof, a database containing resumes of over 200 million job seekers in China was exposed last month. "The leaked info included not just the name and working experience of people, but also their mobile phone number, email, marriage status, children, politics, height, weight, driver license, and literacy level as well," reports The Next Web. From the report: Bob Diachenko, Director of Cyber Risk Research at Hacken.io and bug bounty platform HackenProof, found an unprotected instance of MongoDB containing these resumes on December 28. Diachenko found the resumes in the open database search engines Shodan and BinaryEdge. The 854GB database didn't have any password protection and was open to anyone to read.

Diachenko wasn't able to identify who generated the database or who owned it, but a now-defunct GitHub code repository featured a code that used an identical data structure to the leaked database. The database contained scraped data from multiple Chinese classified websites like bj.58.com. However, in a blog post, the website's spokesperson denied the leak. Interestingly, the database was taken down as soon as Diachenko posted about the database on Twitter. Sadly, the MongoDB log showed at least a dozen IP addresses that read the instance before it went off the grid.

China seems to be a bit more thorough

[bobstreo]

in what job seekers divulge compared to the US.

"marriage status, children, politics, height, weight, driver license" I wonder where their government social scores are tied into this?

Re:China seems to be a bit more thorough

[ShanghaiBill]

Resumes in China usually also include ethnicity and a photo of the applicant.

Job ads will often specify a gender and an age range. In some areas they will even specify a desired ethnicity, usually "Han only", although I have never seen that in a big city.

There are no restrictions on what you can ask in an interview. Age, marital status, number of children, do you have a boyfriend, etc, are all fair game.

This is not just a Chinese thing. This is the way it is in most countries outside North America and the EU.

Re:China seems to be a bit more thorough

Absolutely not here to comment on what you think of as the curious nature of ShanghaiBill's postings (or not), but as an American who's now in Germany, it was (and constantly is) quite a bit of a surprise as to exactly what is common & expected (nevermind allowed) when it comes to things like resume's, job interviews, and even housing/apartments... some of this crap is (or was) even required by law.
Pictures are 100% common & expected on resume's here & not some informal cell-phone photo - that would probably disqualify you from most skilled jobs. You need a decent, polished, professional type shot on there. I don't think age is *required* anymore, but your birthdate should be not to far below your full name on your resume (including maiden name, if applicable). Even if you wanted to leave it off, they will know right away based on the diplomas, cirtifications & other supporting material you need to attach. Martial Status & number of kids goes next (seriously), though it is optional. If you are just getting your carrier started & without a significant job history, you might also list what your parents did for a living. During the interview, I doubt there is much that would be considered an "illegal" question.

On the housing side, be prepared to be subjected to the whims of whoever is renting (or selling) to you. Ads that *specify* a specific age bracket are not at all uncommon. I don't think I see "no kids", but I definitely see things that effectively say "unsuitable for children". If you are a 20 or 30-something couple (with or without children), I wouldn't even bother inquiring about those places as well. You also meet & interview with the owner of the property in most cases (this is after the property manager or real-estate agent already filters you out).
America's anti-discrimination laws are a good thing, unfortunately they have not yet been adopted everywhere.

Social

[dohzer]

Was there any information relating to their social scores? That'd be an interesting leak.

I was asked to review a Chinese person's resume

[kriston]

I was asked to review a Chinese person's resume. The personal details they provide is rather astounding by Western standards. Phrases like "attractive," "young," "single," and "appealing" would be huge red flags here in the US, but I was told it's acceptable for their market and culture.

I felt bad for people who couldn't truthfully advertise themselves as attractive, young, single, and appealing over there.

What a country.

Re:I was asked to review a Chinese person's resume

[The+Evil+Atheist]

Chinese are unashamed about their shallowness. We don't have a filter when it comes to judging someone by their looks, their bling, and other superficial qualities.

As a Chinese person living in the West, it's a shame to see Westerners not appreciating the modern culture they have about accepting people for on the kind of person they are.

Why is it always MongoDB?

[93+Escort+Wagon]

It seems like whenever a story appears regarding an unprotected database being exposed on the web, inevitably it’s an instance of MongoDB. Why is that?

I mean, we’re not talking about a database exploit which inadvertently exposed the data... we’re talking about user error. So why are all these piss-poor admins running MongoDB?

Re:Why is it always MongoDB?

[Wookie+Monster]

Is it truly always MongoDB or do you tend to observe these case more often? My selection bias always tends to observe cases of unprotected S3 data being leaked. Another thing to consider in this particular case is that it might not be a "piss-poor" admin, but rather an admin that wanted to easily export the data and sell it after they got fired. This raises another question: how many people approved of this configuration, and will they all be held accountable?

Re:Why is it always MongoDB?

[nctritech]

Because MongoDB is web scale.

Re:Why is it always MongoDB?

[Zocalo]

Now that I'm thinking about it, I'd have to go with S3 buckets being the one I can recall most stories about as well, but in many breaches it's often not stated what the backend is unless you start to dig into the details of the breach, and sometimes not even then, so who knows what the real breakdown is? Also, it's probably got as much to do with relative market share as anything else; if you have x% of the market, then x% of the breaches is going to be par for the course if your code and average level of user DBA competence are on a par with everyone else's.

Re:Fascinating for research

[ShanghaiBill]

Find out who has a passport and had approval to travel outside China.

They don't need approval to travel. With a few narrow exceptions, such as paroled criminals, anyone in China can get a passport.

The Mao era ended 43 years ago.

More Chinese travel abroad than citizens of any other country.

The IT admin's resume needs an update

[nadass]

Whomever the IT admins (network, systems, cloud, dev) were that facilitated this, I wonder if their resumes were in there. But mostly, I wonder if they'll update their resumes to reflect the more truthful facts regarding their lapse in proper security practices.

Re:danger = P(threat) * Consequences(threat)

[GameboyRMH]

Well even if you're the post-privacy type, you become much more vulnerable to identity theft for one thing...

You're imagining things

> Ah, yes, the good old Western supremacist view. Looking down on other cultures while celebrating your oh-so-superior one

That idea came from you, not from any of the posts up thread from here. I just want to point that out, you'll have to discuss your inferiority complex with your psychologist.

> Hey, quick quiz, who invented Jim Crow laws?

It's interesting that you picked a specific law instead of something more general, otherwise we could go back to things like the caste system which created permanent legal underclasses, or the Barbary slave trade. The word 'slave', for example, comes from 'Slav', you know, those people from the Baltic region who got enslaved a lot. The concept of slavery itself goes back much further, though.

> Who used nuclear weapons on civilian targets?

Why did you pick this, rather than using weapons of war on civilians in general? Or why not by death toll, or would that invite comparison to the brutality of other regimes and horrors like Holodomor? I think you have a naive view of war if you think that there's a clean separation between military and civilian targets or that either side in a total war would be so concerned. Did no civilians die in Pearl Harbor? Were the balloon bombs sent through the jet stream only aimed at military targets?

Surely the lesson here should be that war is hell and that we should stop waging it, no? Why do we need to decide whose ancestors were worse, and even if we did, why did you cheat with your standard of measurement as if nothing else horrible ever happened in this world? It's ironic, but the pure hell unleashed by that bomb has made at least a generation or two afraid to wage a war that would see it unleashed again, so at least there's some silver lining to that very dark cloud.

> When you point the finger at others, three other fingers are pointing back at you.

Then why did you point the first finger? The fact that you saw a finger pointed at you from those posts which did no such thing only makes you look guilty.