Cisco data leak – Job applications portal leaked personal information

Cisco data leak – Cisco has fixed a security vulnerability in the company Professional Careers portal that exposed personal information of the users.

Cisco data leak – Cisco has fixed a security vulnerability existing in the company Professional Careers portal that may have leaked personal information. Cisco has notified the issue to the affected users via mail in which it clarifies that just a “limited set of job application related information” was leaked from the mobile version of the website.

What happened?

According to the security advisory sent by CISCO to its users, data leakage was the result of an “incorrect security setting” placed after system maintenance on a third party site.

Cisco data leak includes name, username, password, email, address phone number, answers to security questions, education and professional profile, cover letter and resume text, and other personal information.

The incorrect configuration was exposing data from August 2015 to September 2015, and again from July 2016 to August 2016. The issue was discovered by an unnamed researcher that ethically reported it to the company.

“An independent security researcher discovered that a limited set of job application related information from the Cisco Professional Careers mobile website was accessible. Cisco’s investigation found this to be the result of an incorrect security setting following system maintenance.” reads the security note. “The issue was immediately fixed and passwords to the site have been disabled. Because Cisco takes its responsibility to protect information seriously, and since many people use the same passwords on multiple websites, we wanted to alert you to this incident. As a precaution, users of Cisco’s Professional Careers Website will need to reset their passwords at their next login by clicking “forgot my password”. “

Cisco confirmed that at the time it fixed the issue it has not found evidence of unauthorized accesses to its systems, however it discovered an unexplained connection to the server.

“We do not believe that the information was accessed by anyone beyond the researcher who found and reported the issue. However, there was an instance of unexplained, anomalous connection to the server during that time, so we are taking precautionary steps.” states Cisco.

In response to the incident Cisco precautionary reset password of the users of Cisco Professional Careers Website

“Upon learning this, the setting was immediately corrected and user passwords to the site were reset. Because Cisco takes its responsibility to protect information seriously, and since many people use the same passwords on multiple websites, we wanted to alert you. As a precaution, as a user of the Cisco Professional Careers Website, you will need to reset your password at their next login by clicking “forgot my password” reads the NOTICE OF DATA BREACH of the Cisco data leak.

The exposed data could be used for social engineering attacks against the users. Cisco offered free 90-day fraud alerts on their accounts to the affected users.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Cisco data leak,  CISCO)