The online job site Ladders exposed the records of more than 13.7 million users due to a misconfiguration of its data stores on Amazon Web Services. In addition to the candidate database breach, 379,000 recruiters had their information exposed due to the same configuration error.
What was Ladders’ error?
Ladders’ software engineers misconfigured the access control to their instance of AWS Elasticsearch Service. Elasticsearch Service is, according to Amazon, “a managed service that makes it easy to deploy, operate, and scale Elasticsearch clusters in the AWS Cloud. Elasticsearch is a popular open-source search and analytics engine for use cases such as log analytics, real-time application monitoring, and clickstream analysis.”
According to security researcher and GDI Foundation member Sanyam Jain, the database was up, running and had no access control on the data. It is unknown for how long this mistake left data exposed.
In 2017, security vendor Threat Stack conducted a survey of 200 AWS users and found that 73 percent had left their SSH (Secure Socket Shell) open to the public, and approximately 62% weren’t using two-factor authentication.
Since then, AWS has been proactive in educating users on how to configure their data stores to limit access and secure data. Indeed, Amazon has a self-help guide on how to configure controls for AWS Elasticsearch Service based on resource-based policies, identity-based policies and IP-based policies.
Furthermore, within the same user-guide compendium of AWS documentation is a section on encryption of data at rest for Amazon Elasticsearch Service.
What user information did Ladders expose?
In the redacted example from Jain’s research, we see a record from a U.S. citizen, with a Top Secret clearance, who had their name, email address, mailing address, geo-coordinates, and work history exposed.
Remedial steps taken by Ladders.
Ladders software engineers, according to CEO Marc Cenedella, have locked down the AWS stored information. What Cenedella did not share is how long the data store had been configured in wideopen access mode.
He noted that now Ladders’ AWS instance was configured for access by Ladders employees, and was IP address restricted. Cenedella continued, that following their adjustments, that Amazon was asked to verify Ladder’s security settings.
In a nutshell, Amazon’s best practice guidance on access control was actualized in response to the breach.