Rocket Breach Leaks Personal Contact Data of Over 240,000 Users

Man working on a laptop and taking notes

Our VPNOverview cybersecurity research team recently discovered a flaw that leaked the personal information of job hunters on the Indian job search site, Rocket. Researchers were able to sift through the names and phone numbers of 243,607 Rocket users, many of whom also had their email addresses leaked.

Rocket — previously known as Waahjobs and Aasaanjobs — is a popular online job search platform that caters to entry-level and blue-collar workers and has multiple offices across four cities in India.

Here’s a quick breakdown of our findings:

Infographic with the summary of the Rocket data breach

Rocket Job Search Site Leaks Applicants’ Information

We found a database backup file that Rocket had stored insecurely on an open Amazon Web Service (AWS) S3 bucket. AWS S3 buckets are very popular cloud storage tools for companies of all sizes. While this is a very useful and convenient service for storing data analytics and making backups, leaving an S3 bucket open to the public has dangerous cybersecurity implications.

Some of the Folders that were available in Rocket's public bucket

Kat Oran, our security team’s database analyst, investigated the bucket and found 243,607 names and phone numbers belonging to job applicants. The database also contained 133,532 email addresses.

Excelsheet with blurred personally identifiable information from the Rocket data breach

In addition to the database, Rocket also exposed some of its internal data. They accidentally leaked information about salaries and hiring trends for blue-collar and entry-level jobs in India.

Shortly after the discovery, we could confirm that the data belonged to Rocket. The platform users are required to provide their names and mobile phone numbers when applying for a job listing.

“Although names and phone numbers being leaked might not seem like a big deal, it can affect someone’s privacy and security if the information becomes known by the wrong group of people,” Oran said.

Timeline

Here is a timeline of events:

EventDateTime
We discovered personal information in an AWS S3 database backupAugust 7, 202211:15 AM EST
We were able to confirm that names, phone numbers and emails belonged to Rocket usersAugust 12, 20225:00 AM EST
We emailed Rocket to notify them that this information was publically available.August 12, 20225:58 AM EST
Notified via software that Rocket had secured their bucket and closed the breachAugust 12, 20227:21 PM EST

Rocket closed the breach the same day we notified them, though we received no direct reply. Rocket also did not respond to our requests for comment.

Spear Phishing Threats with Data Leaks

Phishing emails can usually be spotted because the communication itself is completely random. The same goes for vishing calls (voice phishing) and smishing (SMS or text phishing) messages. You’ll be contacted by a random stranger from the other side of the world, or perhaps a website or business you have no connection to. The next thing you know, they’re trying to pry credit card or other sensitive information from you. That’s the idea behind a phishing attack — a threat actor casts out a wide net and sees what comes back.

However, when cybercriminals get their hands on personal contact information and companies or sites a target actually uses, they can more easily fall victim to such cyberattacks. This tactic is called spear phishing, and lets cybercrooks hone in on their targets.

“Stolen data ends up on the dark web quite regularly, and hackers, scammers, and spammers can use it to run much more focused attacks,” Oran said. “If they have your name, phone number, email, and a website you’re associated with, it could be much easier for someone to fall for such an attack.”

Sophisticated cybercriminals could also gather data from other public outlets — like your LinkedIn or Facebook page — to further compile a profile.

To anyone affected in the breach (or any data leak), we recommend watching out for any suspicious calls or messages, especially those asking for sensitive information or payments. Treat any communication from unknown numbers or email domains with extreme caution.

Cybersecurity Threats Rampant in India

India has been plagued with waves of cybercriminal activity in recent years, and law enforcement across the country constantly put out alerts to the public to keep them aware of the latest ploys. While the public should remain vigilant against ever-evolving phishing attacks, it’s also important to stay ahead of other kinds of threats.

In recent months, scammers in India have been using the ruse of loan schemes to trick their targets. In some of these scams — as the bust of an international gang of fraudsters by the Mumbai cyber police revealed — apps can take complete control of a victim’s device, which can lead to extortion or sextortion attempts.

In June, we reported on a new WhatsApp call-forwarding scam that was first discovered in the country. Savvy cybercriminals used social engineering tactics to trick victims into turning on call-forwarding, then would request a one-time password to lock them out.

In July, the Delhi Police shut down a fake call center operation where the scammers managed to dupe over 150 people. In late 2021, hackers managed to breach Indian Prime Minister Narendra Modi’s Twitter account, spreading misinformation that the country was adopting Bitcoin as legal currency and would distribute free cryptocurrency to the public.

“No matter what country you live in, you take a risk when you share your information with a company,” Oran said. “But there are a few things you can do to help protect yourself online. You can use temporary or burner emails when signing up and registering, and likewise, get a phone number that is only used for that purpose. In the case your IP address and location are recorded and logged, a VPN can also help protect your online data.”

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.