We know what job you applied for last summer and so do social engineers
Cisco has fixed a vulnerability in its Professional Careers portal that may have exposed truckloads of personal information.
The networking giant has sent an email to affected users in which it says a “limited set of job application related information” was leaked from the mobile version of the website, blaming an “incorrect security setting” placed after system maintenance on a third party site.
An unnamed researcher reported the flaw. Cisco says it has not found evidence of other unauthorised access but did find “an instance of unexplained, anomalous connection to the server” during the time data was exposed.
Cisco says the borked security settings were in place from August to September 2015, and again from July to August 2016.
It says exposed data may have included real and login names; passwords; physical and email addresses, phone numbers; answers to security questions; users’ education and professions; cover letters and resumes.
Any hacker hoovering up that data would have also gained applicants’ voluntary information including gender, race, and veteran and disability status, and disability.
“Upon learning this, the setting was immediately corrected and user passwords to the site were reset,” Cisco told customers in notices poted to the Californian Attorney-General [PDF, PDF].
Cisco says the disclosure shows its “commitment to trust and transparency” noting that it is alerting users to the possibility their personal information was exposed because users often re-use the same passwords on multiple websites.
It did not mention that the information is perfect fodder for social engineering attacks in which criminals can use personal data to impersonate victims to pass account holder identity validation checks.
Cisco said users can place free 90-day fraud alerts on their accounts, if they want. ®
Sponsored: Customer Identity and Access Management