Talentbuddy.co / Talentguide.co Database Exposed, Company Reacts Swiftly
May 6, 2016 • RBS
We have seen many news stories about insecure databases on the Internet that are often owned by small private companies who neglected to put any form of authentication in place, and as a result, led to accusations of people “hacking” these databases when they are doing little more than discovering them via Shodan.
This week, one of our researchers discovered and open database that grabbed attention quickly due to the table names. After a few quick checks, it turned out that the database belonged to Talentbuddy.co who recently was acquired by Udemy.com. After discovery of the breach, we reached out to the owners of Talentbuddy.co to alert them that the database for the site, as well as the database for Talentguide.co, the Talentbuddy.co workshops and affiliates, were all left open to the world without authentication.
This type of breach is becoming very common with services like Shodan that offer an easy way to browse and discover such open databases, leading to millions of personal records exposed online to similar incidents. Talentbuddy.co is now a defunct service that was acquired by Udemy in 2016 but used to offer workshops and online courses much like Udemy does. Talentguide.co however, is still active and serves as a talent search, where you register, enter your talents, and others who are registered can search for your skills to potentially hire you.
One unique aspect to this is that after reaching out to two of the administrators of Talentbuddy.co, who also do work for Udemy.com, we discovered that within hours the database had been configured to require authentication and not long after received a statement and a “thank you” their administrators. It is rewarding to us when we see a company swiftly respond to a security incident and take the appropriate steps to better protect their customers. From their statement:
Our community’s online security is of the utmost importance. Udemy acquired Talentbuddy in February of this year. On May 5, 2016, there was unauthorized access to a database containing information about talentbuddy.co accounts. We investigated the matter and removed all personally identifiable information from these databases and informed all affected users within less than 6 hours from the time we were made aware of the issue.
In total, there have been 38,791 users accounts from the talentbuddy.co website and a further 22,761 users from the Talentguide.co website exposed, with usernames, email addresses, passwords, Linkedin profile information, and other site-related information such as registration dates, company names/IDs, recruiter names, and additional information. It appears they have been active in notifying those affected after a Tweet with the following image attached. Despite the fast reaction to the incident, some users are not happy about it calling them a “shitty company“.