leaking

Technology recruitment site GeekedIn has scraped 8 million GitHub profiles and left the information exposed in an unsecured MongoDB database. The backup of the database was downloaded by at least one third party, and it’s likely being traded online.

GitHub profiles scraped

Troy Hunt, the security researcher who runs the Have I been Pwned? service and whose own information is in the compromised backup file, received the file, and ultimately notified GitHub of the matter.

His analysis of the file ultimately revealed that:

  • It contains 8.2 million unique email addresses, i.e. records about 8.2 million users of GitHub, Bitbucket (another web-based hosting service for projects), and possibly other online services.
  • Most of these records contain users’ names, usernames, email address, geographic location, professional skills, years of professional experience.
  • All of this information is already online on GitHub and those other services, accessible to anybody – GeekedIn just scraped it and created its own database, access to which is offered to companies interested in finding developers – for a fee.

When contacted, GitHub said that they allow third parties scraping of their users’ data, so long as it’s only used for the same purpose for which they gave that information to GitHub.

“Using scraped information for a commercial purpose violates our privacy statement and we do not condone this kind of use,” they told Hunt.

After he finally managed to get in touch with GeekedIn, they acknowledged the incidente and promised to secure the data.

Hunt made some of this data searchable in raw format through his service, but only a little over 1 million users will be able to find it. He only included the data of those who had a publicly available email address on GitHub.

“This incident is not about any sort of security vulnerability on GitHub’s behalf, rather it relates to a trove of data from their site which was inappropriately scraped and then inadvertently exposed due to a vulnerability in another service,” he made sure to note.


Help Net Security

Seagate is trying to fight off a suit filed by employees whose personal information was lost when the storage giant was hit with a phishing attack.

The company is currently in the midst of a hearing over whether the aggrieved workers have grounds to sue their employer for negligence after someone in human resources was duped into handing over copies of employee W‑2 tax forms.

The suit [PDF], originally filed in July through the Northern California District Court, accuses the hard drive maker of negligence and unfair business practices stemming from the March 1, 2016 incident when a phishing attack lead to the W‑2 information on all Seagate employees, as well as family members and beneficiaries named in employee W‑2 forms.

The suit claims that the attackers have already begun using the information lifted in the breach. It asks that Seagate be required to pay out damages and fees to a nationwide class of Seagate employees and others named in the pilfered W‑2s.

"No one can know what else the cybercriminals will do with the employees' and third-party victims' personally identifiable information. However, the employees and third-party victims are now, and for the rest of their lives will be, at a heightened risk of identity theft," the suit alleges.

"Many employees and third-party victims have already suffered out-of-pocket costs attempting to rectify fraudulent tax returns and engaging services to monitor and protect their identity and credit."

The storage giant, however, disputes the claims and is trying to have the case thrown out of court.

This week, Seagate has entered into hearings on a motion that the case be dismissed on the grounds that it should not be held responsible for the actions of the criminals who carried out the phishing attacks.

"Plaintiffs seek to hold Seagate responsible for harm allegedly caused by third-party criminals," Seagate claims.

"But Plaintiffs cannot state a claim based solely on the allegation that an unfortunate, unforeseen event occurred. They must actually allege facts that show they are entitled to relief from Seagate."

Should Seagate's motion to have the suit thrown out fail, the case will continue toward a jury trial later this year. ®

Sponsored: Flash storage buyer's guide


The Register - Security