Freely subscribe to our NEWSLETTER

During a routine open-source intelligence (OSINT) investigation, the Cybernews research team came across 470GB of job postings and applicant data. Researchers attributed a dataset of over 218 million entries to an international recruitment agency, Jooble, that runs the website of the same name. The company, operating in 69 countries, confirmed our findings.

"There was a threat of leakage of sensitive data of job seekers from Eastern Europe,” Jooble told us. “We want to assure our users that their names, contact details in Jooble profiles, regions where they are located, or any other personal information have not been compromised. We are grateful to Cybernews for pointing out the vulnerability to us.”

What’s in the dataset

The team discovered the data sitting on an open instance of Elasticsearch, a popular search engine favored by enterprises dealing with large volumes of continually updated data.

Established in 2006 by two Ukrainian students, Jooble has grown to become a global employment platform, and is now being used by businesses and job seekers from Europe, the Americas, Asia, the Middle East, Oceania, and Africa. For US users alone, it has listed over 770,000 vacancies from nearly 20,000 different sites.

Jooble works with publicly aggregated data and uses corporate and personal information for more personalized and targeted search results. User data is stored on “secure servers and can be accessed only by a small number of people and software.”

It added: “Server settings carried out the data protection, but the database was open. After maintenance work on one Jooble server located in the data center, the firewall security protocols did not work correctly.”

The lion’s share of the database that Cybernews discovered is composed of different job postings and searchers for companies. Our findings also indicate that Eastern European job seekers were at risk because the leaked data contained their personal information.

Here’s what we found:

● Around 124GB of data consists of job ads for Germany, of which 64GB seem to be aggregated job postings for the local market, and 60GB ads posted directly to Jooble.org in German
● Another 256GB consists of aggregated job ads or postings for France (86.5GB), the United Kingdom (57GB), Russia (42.63GB), the Netherlands (42.63GB), Poland (19.42GB), and Italy (10GB)
● And 15GB comprises personal applicants’ data, including year of birth, gender, search history, years of work experience, current job preferences, current region, relocation information, and CV-like "about me" descriptions. The largest chunk of this data is Ukrainian, but Hungarian job seekers were also exposed.

Leaving this dataset unprotected could put applicants at risk, and might cause irreparable damage to the owner of the dataset.

"The collection of these job postings and ads is their work, and they just left it open to download for anyone to make a clone and phish users with this data," said Vincentas Baubonis, the lead researcher in the investigation, adding that threat actors could also disrupt business by editing or even destroying the unprotected data.

In 2021, Cybernews found that 30,000 databases worldwide were still completely unprotected and accessible to anyone, including threat actors. Knowing that cybercriminals are on the lookout for leaking records, we reached out to Jooble to make sure they up their security game.

What happened

The database has been closed, and Jooble is “implementing additional threat monitoring to protect the sensitive user data.”

It added: "One of the Elasticsearch cluster’s servers has been in open access for some time. This stored information that we aggregated from the internet. After technical work on one of the Jooble servers in the data center, the firewall security protocols did not work correctly. As a result, there was a threat of leakage of sensitive data from job seekers from Eastern Europe, but the information that allows linking this data to a specific person was not there.”

The company has assured Cybernews that it is implementing additional monitoring solutions to “detect such problems and introduce an authentication mechanism for ElasticSearch” that could prevent similar incidents.

Jooble added: "Servers that store data are locked from the outside, and restricted by password and access level. They are also configured to monitor authentication activity. Physically, they are in a secure data center, which can only be accessed through passes and retina [scans]. Servers are located in cages that have a separate access code.”