Jobs listing website, IIMjobs.com, suffered a database breach on Monday exposing personal data of nearly 1.4 million users that were registered on the website. The leaked data include the names, phone numbers, email addresses, location of the users, their industry work and links to their LinkedIn profiles, Inc42 reported.
The report says that around 50 gigabytes worth of data was being sold on a dark-web marketplace. The breach also exposed the user’ encrypted passwords, which was based on the MD-5 message-digest algorithm, which is an outdated method for encryption, it said citing a cyber-security researcher. However, most of the leaked data in the MySQL database is from last year and the most recent data pertains to a user who was registered in January 2019, the researcher said.
IIMjobs, operated by Highorbit Careers Pvt Ltd, was founded in 2008 by Tarun Mata, an IIM Indore alumnus who previously worked Neilsoft, CSC, and Alcatel Lucent. In May 2019, Info Edge India, which operates Naukri.com, Jeevansaathi.com and 99acres.com, acquired Highorbit Careers for Rs 81 crore. Info Edge told Inc42 that it is investigating the platform and that it would take some time to deep dive into the alleged problem, the report says.
While incidents of data breaches and personal information being sold on the dark web increasing year-on-year, the Indian government is yet to introduce a personal data protection law in Parliament. Although, several state governments have cyber-security specific police departments where customers and users can register their complaints, very few actually do so while the police departments themselves are under-resourced to take on such crimes. Recently, the government said it is working on a new national cyber security strategy.
Numerous data breaches in recent months
Recently, Reliance Digital exposed data of several customers based on a survey it conducted on the upcoming launch of the Play Station-5. In November, data of over 2 crore BigBasket users was leaked and was being sold on the dark web and in August, over 700,000 email addresses of users on travel marketplace website, RailYatri had been leaked. In July, hyperlocal delivery platform Dunzo disclosed that its database was breached by an attacker and Disney+ Hotstar, the streaming platform, said that some of its users’ accounts were compromised because of “data breaches on other platforms”. In June, a report by VpnMentor said that over 7 million records of BHIM UPI app users were breached. And in May this year, data of about 29 million Indian job seekers were leaked on the dark web.
Prior to these incidents, earlier this year it was revealed in a Twitter post that Royal Enfield had exposed a database of at least 452,000 people in January 2020, while personal details more than 1.2 million SpiceJet passengers had been exposed. In January this year, at least 3,000 email address of government officials belonging to the Indian Space Research Organisation (ISRO), Bhabha Atomic Research Centre (BARC), Ministry of Corporate affairs, Ministry of External Affairs, Atomic Energy Regulatory Board (AERB) and Securities and Exchanges Board of India (SEBI), had been compromised and was available on the dark web.