The GeekedIn recruitment project scraped user data from GitHub and other similar websites, but data were inadvertently leaked online.

The popular security expert Troy Hunt, who operates the data breach notification service the owner ‘Have I Been Pwned,’ recently received a 600 Mb MongoDB backup file containing data from a tech recruitment website called GeekedIn.

The analysis of the data dump revealed the presence of more than 8 million GitHub profiles, including names, email addresses, locations and other data.

“On Saturday, a character in the data trading scene popped up and sent me a 594MB file called geekedin.net_mirror_20160815.7z. It was allegedly a MongoDB backup from August belonging to a site I’d not heard of before, one called GeekedIn and they apparently do this:” reported Troy Hunt.

The archive includes over one million of valid email addresses, the remaining part is composed of email “username@github.xyzp.wzf” evidently associated with GitHub accounts with no public email address.

The database also contains thousands of accounts apparently taken from BitBucket.

GeekedIn service crawls code hosting repositories, including GitHub and BitBucket, and creates profiles for open-source projects and developers. The GeekedIn data could be used by recruiters to hire developers whose skills match their needs.

The data gathered by the service are public and does not include any sensitive information such as passwords, but GitHub does allow users to use its data for commercial purposes.

The data was stored in a MongoDB database that was exposed on the internet and accessible to anyone.

“And again, yes, you can go and pull this data publicly on a per-individual basis but the constant response I got from close confidants I shared this information with is that ‘it just feels wrong’. And it is wrong, not just the scraping of GitHub in the first place in order to commercialise our information, but then subsequently losing it via a MongoDB with no password and now having it float around the web in data breach trading circles.” wrote Hunt.

At the time I was writing GeekedIn website is down.

In the last year, we observe several cases related to MongoBD databases poorly configured and exposed online.  In July 2015, John Matherly, the creator of Shodan search engine for connected devices, revealed that many MongoDB administrators have exposed something like 595.2 terabytes of data by using bad poor configurations, or un-patched versions of the MongoDB.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – GeekedIn, hacking)

The post GeekedIn service exposed 8 million GitHub profiles online appeared first on Security Affairs.

Source: securityaffairs

Technology recruitment site GeekedIn has scraped 8 million GitHub profiles and left the information exposed in an unsecured MongoDB database. The backup of the database was downloaded by at least one third party, and it’s likely being traded online. Troy Hunt, the security researcher who runs the Have I been Pwned? service and whose own information is in the compromised backup file, received the file, and ultimately notified GitHub of the matter. His analysis of … More
Source: helpnetsecurity

A data leak has exposed sensitive information about millions of job seekers that used global recruitment firm Michael Page. The leak has once again been revealed to the leaking company through Troy Hunt, the creator and administrator of the Have I Been Pwned (HIBP) online service. “It was the same individual who located the Red Cross data and the same story in terms of discovery an underlying risk on the server end; publicly exposed website, … More
Source: helpnetsecurity

Personal information of some 550,000 Australian blood donors has been sitting exposed on a web developer’s server and has been downloaded by a person who effectively stumbled on it. The person contacted Troy Hunt of the Have I Been Pwned (HIBP) online service, and has passed the information to him to choose what to do next. Hunt contacted AusCERT, who then took on the responsibility to work with the Red Cross Blood Service to solve … More
Source: helpnetsecurity

Following in Edward Snowden’s footsteps, yet another NSA contractor has leaked highly classified trade secrets and government information. My question to you: Are we really all that surprised? What’s most alarming is that even if the NSA had the best security measures in the world, what does this say about the our overall state of security? Executives, government officials and politicians especially, are paying close attention to cybersecurity, but it’s clear that a fundamental change … More
Source: helpnetsecurity

Sensitive personal information of some 1.5 million users of several dating/cheating websites and apps has been found to be accessible via the Internet. This information includes the users’ username, (plaintext) password, email address, gender, date of birth, country of residence and photos, as well as sexual preferences. MacKeeper researchers found the unsecured MongoDB database and traced it to New Zealand-based company C&Z Tech Limited, which runs haveafling.mobi, haveafling.co.nz, haveanaffair.co.nz, haveanaffair.mobi, hookupdating.mobi and the mobile application … More
Source: helpnetsecurity