Graduate recruitment site exposed 50,000 CVs sent to Virgin Media UK

Kid schools telco: 'So have you heard of access controls?'


Virgin Media has shuttered a kindergarten-grade bug in a third party website that exposed up to 50,000 résumés it's received over the years, complete with names, street and email addresses of applicants.

The vulnerability was due to entirely absent access controls on a public server to which applicants were directed to upload their résumés.

British student hacker Alikhan Uzakov (@alikhan_uzakov) found he was able to peruse the entire directory without restraint or being challenged to log in.

"About 30,000 to 50,000 applications, past and present, were accessible," Uzakov says in a blog.

"Personal information including telephone numbers, emails, where someone lives, and other details were out there in the open: my personal information was exposed as well.

"The problem is patched now but had I been someone with malicious intentions, I could have done a lot more and might not have reported it at all."

Uzakov phoned Virgin Media's London Hammersmith office to report the flaw and "walked" a security engineer through resolving the mind-bending bug.

He says Virgin Media would not comment on the vulnerability nor award him a bug bounty or name recognition for the bug.

The graduate recruitment site has been fixed and is back online. ®

Similar topics

Broader topics


Other stories you might like

  • Software-defined silicon is coming for telecom kit later this year
    Startup EdgeQ believes pay-for-what-you-use model will make 5G transition more cost-effective

    Interview While the IT industry waits to see if and when Intel will introduce software-defined silicon in Xeon CPUs, one startup us is moving ahead with plans to bring a pay-for-what-you-use pricing model to the telecom market with its "base station-on-a-chip" later this year.

    Silicon Valley-based EdgeQ, which is led by Qualcomm and Intel executives, announced last week that it has begun sampling an EdgeQ-based 5G small cell and OpenRAN PCIe accelerator card for base stations with telecom operators and equipment makers.

    Things are apparently moving smoothly enough for the startup that Adil Kidwai, EdgeQ's head of product management, told The Register that its RISC-V-based chip will appear in mass-manufactured products like small cells and base station accelerator cards "by the end of this year."  

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Millions of people's info stolen from MGM Resorts dumped on Telegram for free
    Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

    Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

    The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

    The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

    Continue reading
  • India gives local techies 60 days to hit 6-hour deadline for infosec incident reporting
    Customer data collection and retention requirements also increased, including for crypto operators

    India's Computer Emergency Response Team (CERT-In) has given many of the nation's IT shops a big job that needs to be done in a hurry: complying with a new set of rules that require organizations to report 20 different types of infosec incidents within six hours of detection, be they a ransomware attack or mere compromise of a social media account.

    The national infosec agency stated the short deadline is needed as it has identified "certain gaps causing hindrance in incident analysis."

    Organizations can use email, phone, or fax to send incident reports. Just how the analog mediums will improve improve analysis gaps is uncertain.

    Continue reading

Biting the hand that feeds IT © 1998–2022