Our VPNOverview cybersecurity research team recently discovered a flaw that leaked the personal information of job hunters on the Indian job search site, Rocket. Researchers were able to sift through the names and phone numbers of 243,607 Rocket users, many of whom also had their email addresses leaked.
Rocket — previously known as Waahjobs and Aasaanjobs — is a popular online job search platform that caters to entry-level and blue-collar workers and has multiple offices across four cities in India.
Here’s a quick breakdown of our findings:
Rocket Job Search Site Leaks Applicants’ Information
We found a database backup file that Rocket had stored insecurely on an open Amazon Web Service (AWS) S3 bucket. AWS S3 buckets are very popular cloud storage tools for companies of all sizes. While this is a very useful and convenient service for storing data analytics and making backups, leaving an S3 bucket open to the public has dangerous cybersecurity implications.
Kat Oran, our security team’s database analyst, investigated the bucket and found 243,607 names and phone numbers belonging to job applicants. The database also contained 133,532 email addresses.
In addition to the database, Rocket also exposed some of its internal data. They accidentally leaked information about salaries and hiring trends for blue-collar and entry-level jobs in India.
Shortly after the discovery, we could confirm that the data belonged to Rocket. The platform users are required to provide their names and mobile phone numbers when applying for a job listing.
“Although names and phone numbers being leaked might not seem like a big deal, it can affect someone’s privacy and security if the information becomes known by the wrong group of people,” Oran said.
Here is a timeline of events:
|We discovered personal information in an AWS S3 database backup||August 7, 2022||11:15 AM EST|
|We were able to confirm that names, phone numbers and emails belonged to Rocket users||August 12, 2022||5:00 AM EST|
|We emailed Rocket to notify them that this information was publically available.||August 12, 2022||5:58 AM EST|
|Notified via software that Rocket had secured their bucket and closed the breach||August 12, 2022||7:21 PM EST|
Rocket closed the breach the same day we notified them, though we received no direct reply. Rocket also did not respond to our requests for comment.
Spear Phishing Threats with Data Leaks
Phishing emails can usually be spotted because the communication itself is completely random. The same goes for vishing calls (voice phishing) and smishing (SMS or text phishing) messages. You’ll be contacted by a random stranger from the other side of the world, or perhaps a website or business you have no connection to. The next thing you know, they’re trying to pry credit card or other sensitive information from you. That’s the idea behind a phishing attack — a threat actor casts out a wide net and sees what comes back.
However, when cybercriminals get their hands on personal contact information and companies or sites a target actually uses, they can more easily fall victim to such cyberattacks. This tactic is called spear phishing, and lets cybercrooks hone in on their targets.
“Stolen data ends up on the dark web quite regularly, and hackers, scammers, and spammers can use it to run much more focused attacks,” Oran said. “If they have your name, phone number, email, and a website you’re associated with, it could be much easier for someone to fall for such an attack.”
To anyone affected in the breach (or any data leak), we recommend watching out for any suspicious calls or messages, especially those asking for sensitive information or payments. Treat any communication from unknown numbers or email domains with extreme caution.
Cybersecurity Threats Rampant in India
India has been plagued with waves of cybercriminal activity in recent years, and law enforcement across the country constantly put out alerts to the public to keep them aware of the latest ploys. While the public should remain vigilant against ever-evolving phishing attacks, it’s also important to stay ahead of other kinds of threats.
In recent months, scammers in India have been using the ruse of loan schemes to trick their targets. In some of these scams — as the bust of an international gang of fraudsters by the Mumbai cyber police revealed — apps can take complete control of a victim’s device, which can lead to extortion or sextortion attempts.
In June, we reported on a new WhatsApp call-forwarding scam that was first discovered in the country. Savvy cybercriminals used social engineering tactics to trick victims into turning on call-forwarding, then would request a one-time password to lock them out.
In July, the Delhi Police shut down a fake call center operation where the scammers managed to dupe over 150 people. In late 2021, hackers managed to breach Indian Prime Minister Narendra Modi’s Twitter account, spreading misinformation that the country was adopting Bitcoin as legal currency and would distribute free cryptocurrency to the public.
“No matter what country you live in, you take a risk when you share your information with a company,” Oran said. “But there are a few things you can do to help protect yourself online. You can use temporary or burner emails when signing up and registering, and likewise, get a phone number that is only used for that purpose. In the case your IP address and location are recorded and logged, a VPN can also help protect your online data.”