SQL Injection Leads To BigMoneyJobs.com Leak
April 2, 2014 • RBS
Earlier today, a hacker identified as ProbablyOnion (who recently breached Boxee.tv) has posted data from a large job seeker website resulting in over 36,000 accounts being published online. The website BigMoneyJobs.com is a large hub for job seekers and employers looking to hire them.
The breach was announced over Twitter and posted to the hacker’s hidden TOR service as a 5.94MB Excel spreadsheet that contains all of the members from the website’s database. The leaked data contains personally identifiable information (PII) including full names, home addresses, phone numbers, email addresses, website registration information, and plaintext passwords totaling 36,802 members. The passwords from the leak would allow anyone to instantly login to the site’s user interface.
Based on a quick analysis of the passwords, it is clear that the system allows passwords that do not meet any accepted complexity or strength requirements, meaning some passwords match the user’s first or last names exactly, or are simple numerical combinations (e.g. 12345). Based on conversations in online forums, the ‘members’ table of the database apparently contains both employees and employers credentials, and that the breach was carried out via a basic SQL injection attack.
We have created a DataLossDB incident as well as added the incident to Cyber Risk Analytics and also reached out to BigMoneyJobs for comment, but have not received a reply at the time of this posting.