Incident
On 25th May, researchers from Cyble reported that 2.9 crore Indian jobseekers’ data was exposed on dark web hacking forums, creating panic among registered users of various recruitment platforms. The breached data includes sensitive information such as email addresses, phone numbers, home addresses, work experience, etc. While it is true that a data breach leaked jobseekers’ information, the data posted on the hacking forums as a result of the said breach, dates back to the years 2006-2012.
CloudSEK researchers probed for more information on the breach and the leaked data. They were able to identify users of various hacking forums who are responsible for the recent posts, the content of the leaked files and folders, and most importantly timestamps of the files that confirms the data is outdated.
Attribution
Among several forums that may have published the same data, we were able to identify two users on separate forums responsible for exposing the data.
Russian hacking forum
Registered user of a Russian hacking forum, “beserious” posted a file that contains 12 different folders with leaked data that includes names, addresses, phone numbers, etc., on 20th May. The user claims that the size of the file is 2.3 GB. The post is accompanied by a Russian text that reads “You must have more than 50 reactions to view hidden content.” This restricted CloudSEK researchers to view the file. The user also declined to share the file.
Marketplace forum
User registered to a popular marketplace forum posted the file containing the jobseekers’ data along with a sample of the data, and a link to Cyble’s research indicating that the data contained in the files are from the breach mentioned in that specific research by the the US based cyber intelligence firm. The user posted this on 23rd May, 2020.
Analysis of the data
CloudSEK researchers were denied access to the files that were published on the Russian hacking forum, but were quick to discover the same data for free on the popular dark web trading forum.
- For the purpose of examination, CloudSEK researchers downloaded the information and were able to find the following folders in it:
- The files include sensitive information of several job seekers, such as their name, email address, phone number, current salary, employer details, etc.
- The folder “Employee - Salaried - Jobseekers Database India 5” contains the file “Naukri - 691796.csv”, which may be the reason for even the mainstream media assuming that Naukri has been breached.
- On analysis, we noticed that most of the data in these folders are outdated and that they may have been obtained by scraping files from a past breach. Thus, the 2.9 crore records, that are purportedly from a recent breach, may be quite old; some of them even as old as 2006, and were seemingly ripped off from old sources.
- The timestamps of the files obtained using Exif metadata, shows that about 80% of the files were created between the years 2006 and 2009. Some files were even from 1996 and were updated in the years 2013, 2016, etc.
[caption id="attachment_6418" align="aligncenter" width="663"]
Exif tool timestamps[/caption]
[caption id="attachment_6419" align="aligncenter" width="484"]
Sample creation date of files[/caption]
