Ladders, one of the most popular job recruitment sites in the U.S. specializing in high-end jobs, has exposed more than 13.7 million user records following a security lapse.
The New York-based company left an Amazon-hosted Elasticsearch database exposed without a password, allowing anyone to access the data. Sanyam Jain, a security researcher and a member of the GDI Foundation, a nonprofit aimed at securing exposed or leaking data, found the database and reported the findings to TechCrunch in an effort to secure the data.
Within an hour of TechCrunch reaching out, Ladders had pulled the database offline.
Marc Cenedella, chief executive, confirmed the exposure in a brief statement. “AWS confirms that our AWS Managed Elastic Search is secure, and is only accessible by Ladders employees at indicated IP addresses. We will look into this potential theft, and would appreciate your assistance in doing so,” he said.
TechCrunch verified the data by reaching out to more than a dozen users of the site. Several confirmed their data matched their Ladders profile. One user who responded said they are “not using the site anymore” following the breach.
Each record included names, email addresses and their employment histories, such as their employer and job title. The user profiles also contain information about the industry they’re seeking a job in and their current compensation in U.S. dollars.
Many of the records also contained detailed job descriptions of their past employment, similar to a résumé.
Although some of the data was publicly viewable to other users on the site, much of the data contained personal and sensitive information, including email addresses, postal addresses, phone numbers and their approximate geolocation based off their IP address.
The database contained years’ worth of records.
Some records included their work authorizations, such as whether they are a U.S. citizen or if they are on a visa, such as an H1-B. Others listed their U.S. security clearance alongside their corresponding jobs, such as telecoms or military.
More than 379,000 recruiters’ information was also exposed, though the data wasn’t as sensitive.
- A leaky SMS database exposed password resets and two-factor codes
- Chipotle customers are saying their accounts have been hacked
- We found a massive spam operation — and sunk its server
- Dow Jones’ watchlist of 2.4 million high-risk individuals has leaked
- Stop saying, ‘We take your privacy and security seriously’
- Robocaller firm Stratics Networks exposed millions of call recordings
- Massive mortgage and loan data leak gets worse as original documents also exposed