Leakage of 191,000 email addresses from Avito's resume

About a week ago, when I was googling an unknown number (from missed calls), I suddenly stumbled upon it in the form of a PDF file from Avito, which generated an error when clicking on a direct link, but got into the cache. It looked something like this:

Issue Example

General view of the link: "m.avito.ru/[address of the announcement] / export / pdf".

Everything can be found by request: "site: avito.ru inurl: export / pdf" ( Google , Yandex ).

If Google promises 191,000 results (it actually outputs about 640, apparently the delivery limit is triggered), then in Yandex there are only 152 responses and the cache is not available explicitly (but the addresses themselves can easily be pulled out with slightly modified requests like "site: avito.ru inurl: export / pdf mail .ru "). The reporting period is from August to November of this year.

The official response of the company:

Official answer

So these are our problems with you, that the company leaked our data to the public network, everything is fine.

Judging by the fact that in the issuance of only a resume (and obviously not all), I can assume that Avito has some access for companies and their recruiters to the database of resumes with the possibility of export. Moreover, in the agreement Avito left the opportunity to transfer this data to third parties:

10.1. Avito has the right, and the User hereby gives his consent to this, transfer his rights and / or obligations under this User Agreement, both in whole and in part, to a third party.
10.2. In the case of transfer of rights and / or obligations, both in whole and in part, under this User Agreement to a third party, the third party has the right to provide similar or similar services on another site.

But besides these points, there are those where Avito undertakes to keep this secret:

Avito takes all necessary measures to protect the User’s personal data from unauthorized access by third parties.

On November 23, I sent a request to the support service with a description of the problem, they answered me with two standard answers: “Thank you for contacting Avito Support Service” and “A check will be carried out on your request.” I think a few days should have been enough to fix robots.txt and clear the results? Unfortunately, no security contacts or administrators were found. Then I contacted the official VKontakte resource group, duplicating the problem, you see the answer above.

I hope the company will pay attention to the problem in the near future.

UPD 28.11 : Avito does not react in any way, I’m clearing a little of the cache myself .
UPD 30.11 : Yandex issuance is almost cleared, only 3 results(again, all 152 results returned, apparently there were temporary malfunctions in the results), and Google is now looking for “only” 185,000 results.
UPD 01.12 : Vkontakte answered again, we are waiting for the results:

UPD 08.12 : Everything is clean, both on Google and Yandex. It gives 1-3 results, but without a copy in the cache.
UPD 14.12 : In Google 137,000 results with cache, Yandex is empty.

Also popular now: