HR management platform myrocket.co has exposed the personal information of hundreds of thousands of employees and millions of job candidates.
On December 12, 2022, the Cybernews research team discovered a publicly accessible database with 260GB of sensitive personal data belonging to myrocket.co, offering ‘end-to-end’ recruitment solutions and HR services for companies in India.
The leak is estimated to have affected nearly 200,000 employees and almost nine million job candidates.
Researchers warn that such data leaks are hazardous as they might help threat actors craft targeted phishing campaigns, assist in forgery and identity theft, and trick companies into making payments.
The company said the issue was caused by a misconfiguration and fixed the issue upon notification.
Treasure trove of data
The discovered database was not protected by authentication. The security loophole resulted in millions of private documents being revealed to the public. Worryingly, it also allowed threat actors to modify the data, changing salary amounts and details of bank accounts used for salary payments.
Researchers found about 435,000 payslips, 300 tax filings, 3,800 insurance payment documents, and 21,000 salary sheets belonging to various companies using the HR platform’s services.
The database contained detailed, sensitive, and personally identifiable information (PII) of employees, including names, taxpayer information, personal identification numbers, emails, phone numbers, bank details, parent names, dates of birth, salaries, payslips, employee roles, insurance and tax information, work contracts, addresses, and even photocopies of personal documents, such as driving licenses or voter IDs.