Rocket — previously known as Waahjobs and Aasaanjobs — is a popular online job search platform that caters to entry-level and blue-collar workers and has multiple offices across four cities in India. Here’s a quick breakdown of our findings:
Rocket Job Search Site Leaks Applicants’ Information
Kat Oran, our security team’s database analyst, investigated the bucket and found 243,607 names and phone numbers belonging to job applicants. The database also contained 133,532 email addresses.
In addition to the database, Rocket also exposed some of its internal data. They accidentally leaked information about salaries and hiring trends for blue-collar and entry-level jobs in India. Shortly after the discovery, we could confirm that the data belonged to Rocket. The platform users are required to provide their names and mobile phone numbers when applying for a job listing. “Although names and phone numbers being leaked might not seem like a big deal, it can affect someone’s privacy and security if the information becomes known by the wrong group of people,” Oran said.
Timeline
Here is a timeline of events: Rocket closed the breach the same day we notified them, though we received no direct reply. Rocket also did not respond to our requests for comment.
Spear Phishing Threats with Data Leaks
Phishing emails can usually be spotted because the communication itself is completely random. The same goes for vishing calls (voice phishing) and smishing (SMS or text phishing) messages. You’ll be contacted by a random stranger from the other side of the world, or perhaps a website or business you have no connection to. The next thing you know, they’re trying to pry credit card or other sensitive information from you. That’s the idea behind a phishing attack — a threat actor casts out a wide net and sees what comes back. However, when cybercriminals get their hands on personal contact information and companies or sites a target actually uses, they can more easily fall victim to such cyberattacks. This tactic is called spear phishing, and lets cybercrooks hone in on their targets. “Stolen data ends up on the dark web quite regularly, and hackers, scammers, and spammers can use it to run much more focused attacks,” Oran said. “If they have your name, phone number, email, and a website you’re associated with, it could be much easier for someone to fall for such an attack.” Sophisticated cybercriminals could also gather data from other public outlets — like your LinkedIn or Facebook page — to further compile a profile. To anyone affected in the breach (or any data leak), we recommend watching out for any suspicious calls or messages, especially those asking for sensitive information or payments. Treat any communication from unknown numbers or email domains with extreme caution.
Cybersecurity Threats Rampant in India
India has been plagued with waves of cybercriminal activity in recent years, and law enforcement across the country constantly put out alerts to the public to keep them aware of the latest ploys. While the public should remain vigilant against ever-evolving phishing attacks, it’s also important to stay ahead of other kinds of threats. In recent months, scammers in India have been using the ruse of loan schemes to trick their targets. In some of these scams — as the bust of an international gang of fraudsters by the Mumbai cyber police revealed — apps can take complete control of a victim’s device, which can lead to extortion or sextortion attempts. In June, we reported on a new WhatsApp call-forwarding scam that was first discovered in the country. Savvy cybercriminals used social engineering tactics to trick victims into turning on call-forwarding, then would request a one-time password to lock them out. In July, the Delhi Police shut down a fake call center operation where the scammers managed to dupe over 150 people. In late 2021, hackers managed to breach Indian Prime Minister Narendra Modi’s Twitter account, spreading misinformation that the country was adopting Bitcoin as legal currency and would distribute free cryptocurrency to the public. “No matter what country you live in, you take a risk when you share your information with a company,” Oran said. “But there are a few things you can do to help protect yourself online. You can use temporary or burner emails when signing up and registering, and likewise, get a phone number that is only used for that purpose. In the case your IP address and location are recorded and logged, a VPN can also help protect your online data.”