Naukri exposed recruiter email addresses, researcher says
Naukri.com, a popular Indian employment website, has fixed a bug that exposed the email addresses of recruiters using its platform to search and hire talent online.
The issue, discovered by security researcher Lohith Gowda, affected the API that Naukri used on its Android and iOS apps. The API exposed the email addresses of recruiters visiting profiles of potential candidates on Naukri's platform. The issue did not appear to affect the company's website.
'The exposed recruiter email IDs can be used for targeted phishing attacks, and recruiters may receive excessive unsolicited emails and spam,' Gowda told TechCrunch.
He added that exposed email IDs could be added to public breach databases or spam lists, and mass email address scraping could lead to automated bot abuse or scams.
TechCrunch verified the exposure after the researcher shared details about the bug. The researcher confirmed to TechCrunch that the issue was fixed earlier this week, which Naukri corroborated on Friday.
'All identified enhancements are implemented, ensuring our systems remain updated and resilient,' Alok Vij, IT infrastructure head at Naukri's parent company InfoEdge, told TechCrunch over email. 'Our teams have not detected any usual activity that affects the integrity of user data.'
Founded in March 1997, Naukri.com is India's top classified recruitment website, helping connect recruiters, employers, and job seekers. Apart from India, the site exists in the Middle East as Naukrigulf.com.
'Certain features of our recruiter profiles are designed to be public to enable users to know who has access to their profile(s). We conduct regular audits and security assessments,' said Vij.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Fox News
an hour ago
- Fox News
How to tell if a login alert is real or a scam
Online scams thrive on the urgency and fear of their victims. If you've ever been a victim of a scam, you'd know that bad actors often try to rush you into taking action by creating a sense of fear. A scammer may call you impersonating a government agency and claim your Social Security number has been linked to drug trafficking. A phishing email might ask you to update your tax details or claim you've won a lottery or a free product, all to get you to click a malicious link. A more effective tactic scammers use is sending fake login alerts. These are warnings that someone has logged into your account, prompting you to take immediate action. This method works well because legitimate services like Google, Apple, Netflix and Facebook also send these types of notifications when someone, including you, logs in from a new device. It can be tricky to tell the difference. As Robert from Danville asks, "I constantly get in my spam junk folder emails saying 'someone has logged into your account.' Is this spam? legitimate? concerning? How do I know? How to avoid wasting time checking? How do I check?" Thanks for writing to us, Robert. I completely understand how tricky it can be to figure out whether these messages are legitimate or just another scam attempt. Let's break down what these urgent warnings usually look like and go over a few ways you can stay safe. Scammers often pose as login alerts from Google, Apple, Meta or even your bank, complete with official-looking logos, because fear is effective. But not every alert is a scam. In many cases, these notifications are legitimate and can help you detect unauthorized access to your accounts. Let's focus on the scam side first. Login alert scams have been around for a while. Early reports date back to 2021, and the trend has persisted since then. In 2022, reports surfaced that scammers were impersonating Meta and sending phishing emails to users. One such email used a clean layout with minimal text. It avoided the usual scare tactics and stuck to a simple message. But that is not always the case. A common red flag in phishing attempts is the tendency to overload the email with unnecessary details. These messages often include cluttered formatting, excessive explanations and an increasing number of typos or design errors. One phishing email simply gets to the point: Someone tried to Iog into Your Account, User lD A user just logged into your Facebook account from a new device Samsung S21. We are sending you this email to verify it's really you. Thanks, The Facebook Team What's concerning now is that poor grammar is no longer a reliable sign of a scam. Thanks to AI, even those with limited English skills can write emails that sound polished and professional. As a result, many phishing messages today read just like legitimate emails from trusted companies. Receiving a phishing email is not the real issue. The real problem starts when you click on it. Most of these emails contain links that lead to fake login pages, designed to look exactly like platforms such as Facebook, Google or your bank. If you enter your credentials there, they go directly to the scammer. In some cases, simply clicking the link can trigger a malware download, especially if your browser is outdated or your device lacks proper security. Once inside, attackers can steal personal information, monitor your activity or take control of your accounts. Real login notifications do exist; they're just much less scary. A genuine alert from Google, Apple or Microsoft will come from an official address (for example, no-reply@ or security@ and use consistent branding. The tone is factual and helpful. For instance, a legit Google security alert might say, "We detected a login from a new sign-in to your Google Account on a Pixel 6 Pro device. If this was you, you don't need to do anything. If not, we'll help you secure your account." It may include a "Check activity" button, but that link always redirects to a address, and it won't prompt you to reenter your password via the email link. Similarly, Apple notes it will never ask for passwords or verification codes via email. 1. Don't click any links or attachments and use strong antivirus software: Instead, manually log in to the real site (or open the official app) by typing the URL or using a bookmarked link. This guarantees you're not walking into a scammer's trap. The FTC recommends this: if you have an account with that company, contact them via the website or phone number you know is real, not the info in the email. The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices. 2. Remove your data from the internet: Scammers are able to send you targeted messages because your data, like your email address or phone number, is already out there. This often happens due to past data breaches and shady data brokers. A data removal service can help clean up your digital trail by removing your information from public databases and people-search sites. It's not a quick fix, but over time, it reduces how easily scammers can find and target you. While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren't cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It's what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you. Check out my top picks for data removal services here. Get a free scan to find out if your personal information is already out on the web. 3. Check your account activity: Go to your account's security or sign-in page. Services like Gmail, iCloud or your bank let you review recent logins and devices. If you see nothing unusual, you're safe. If you do find a strange login, follow the site's process (usually changing your password and logging out all devices). Even if you don't find anything odd, change your password as a precaution. Do it through the official site or app, not the email. Consider using a password manager to generate and store complex passwords. 4. Enable two-factor authentication (2FA): This is your best backup. With 2FA enabled, even if someone has your password, they can't gain access without your phone and an additional second factor. Both Google and Apple make 2FA easy and say it "makes it harder for scammers" to hijack your account. 5. Report suspicious emails: If you receive a suspicious email claiming to be from a specific organization, report it to that organization's official support or security team so they can take appropriate action. You shouldn't have to vet every sketchy email. In fact, your email's spam filters catch most phishing attempts for you. Keep them enabled, and make sure your software is up to date so that malicious sites and attachments are blocked. Still, the most powerful filter is your own awareness. You're definitely not alone in this. People receive these spammy login scares every day. By keeping a cool head and following the steps above, you're already ahead of the game. Have you ever encountered a suspicious email or phishing attempt? How did you handle it, and what did you learn from the experience? Let us know by writing us at For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Follow Kurt on his social channels Answers to the most asked CyberGuy questions: New from Kurt: Copyright 2025 All rights reserved.
Forbes
2 hours ago
- Forbes
Do Not Answer These Calls — Google Issues New Smartphone Warning
Beware the UNC6040 smartphone threat. Update, June 8, 2025: This story, originally published on June 6, has been updated with further warnings from the FBI regarding dangerous phone calls, as well as additional information from the Google Threat Intelligence Group report potentially linking the UNC6040 threat campaign to an infamous cybercrime collective known as The Com. Google's Threat Intelligence Group has issued a new warning about a dangerous cyberattack group known only as UNC6040, which is succeeding in stealing data, including your credentials, by getting victims to answer a call on their smartphone. There are no vulnerabilities to exploit, unless you include yourself: these attackers 'abuse end-user trust,' a Google spokesperson said, adding that the UNC6040 campaign 'began months ago and remains active.' Here's what you need to know and do. TL;DR: Don't answer that call, and if you do, don't act upon it. If you still need me to warn you about the growing threat from AI-powered cyberattacks, particularly those involving calls to your smartphone — regardless of whether it's an Android or iPhone — then you really haven't been paying attention. It's this lack of attention, on the broadest global cross-industry scale, that has left attackers emboldened and allowed the 'vishing' threat to evolve and become ever-increasingly more dangerous. If you won't listen to me, perhaps you'll take notice of the cybersecurity and hacking experts who form the Google Threat Intelligence Group. A June 4 posting by GTIG, which has a motto of providing visibility and context on the threats that matter most, has detailed how it's been tracking a threat group known only as UNC6040. This group is financially motivated and very dangerous indeed. 'UNC6040's operators impersonate IT support via phone,' the GTIG report stated, 'tricking employees into installing modified (not authorized by Salesforce) Salesforce connected apps, often Data Loader variants.' The payload? Access to sensitive data and onward lateral movement to other cloud services beyond the original intrusion for the UNC67040 hackers. Google's threat intelligence analysts have designated UNC6040 as opportunistic attackers, and the broad spectrum of that opportunity has been seen across hospitality, retail and education in the U.S. and Europe. One thought is that the original attackers are working in conjunction with a second group that acts to monetize the infiltrated networks and stolen data, as the extortion itself often doesn't start for some months following the initial intrusion itself. The Google Threat Intelligence Group report has linked the activity of the UNC640 attack group, specifically through shared infrastructure characteristics, with a cybercrime collective known as The Com. The highly respected investigative cybersecurity journalist, Brian Krebs, has described The Com as being a 'distributed cybercriminal social network that facilitates instant collaboration.' This social network exists within Telegram and Discord servers that are home to any number of financially motivated cybercrime actors. Although it is generally agreed that The Com is something of a boasting platform, where criminal hackers go to boost their exploit kudos while also devaluing the cybercrime activities of others, its own value as a resource for threat actors looking to find collaborative opportunities with like-minded individuals should not be underestimated. 'We've also observed overlapping tactics, techniques, and procedures,' Google's TIG researchers said with regard to The Com and UNC6040, 'including social engineering via IT support, the targeting of Okta credentials, and an initial focus on English-speaking users at multinational companies.' However, the GTIG report admits that it is also quite possible these overlaps are simply a matter of associated threat actors who all boast within the same online criminal communities, rather than being evidence of 'a direct operational relationship' between them. The Federal Bureau of Investigation has now also joined the chorus of security experts and agencies warning the public about the dangers of answering smartphone calls and messages from specific threat groups and campaigns. Public cybersecurity advisory I-051525-PSA has warned that the FBI has observed a threat campaign, ongoing since April 2025, that uses malicious text and voice messages impersonating senior U.S. officials, including those in federal and state government roles, to gain access to personal information and ultimately valuable online accounts. As with the latest Google Threat Intelligence Group warning, these attacks are based around the fishing tactic of using AI-generated voice messages along with carefully crafted text messages, known as smishing, as a method of engendering trust and, as the FBI described it, establishing rapport with the victim. 'Traditionally, malicious actors have leveraged smishing, vishing, and spear phishing to transition to a secondary messaging platform,' the FBI warned, 'where the actor may present malware or introduce hyperlinks that direct intended targets to an actor-controlled site that steals log-in information, like usernames and passwords.' The latest warnings regarding this scam call campaign have appeared on social media platforms such as X, formerly known as Twitter, from the likes of the FBI Cleveland and FBI Nashville, as well as on law enforcement websites, including the New York State Police. The message remains the same: the FBI won't call you demanding money or access to online accounts, and the New York State Police won't call you demanding sensitive information or threatening you with arrest over the phone. 'Malicious actors are more frequently exploiting AI-generated audio to impersonate well-known, public figures or personal relations to increase the believability of their schemes,' the FBI advisory warned. The FBI has recommended that all smartphone users, whether they iPhone or Android devices, must seek to verify the true identity of the caller or sender of a text message before responding in any way. 'Research the originating number, organization, and/or person purporting to contact you,' the FBI said, 'then independently identify a phone number for the person and call to verify their authenticity.' To mitigate the UNC6040 attack risk, GITG said that organisations should consider the following steps: And, of course, as Google has advised in previous scam warnings, don't answer those phone calls from unknown sources. If you do, and it's someone claiming to be an IT support person, follow the FBI advice to hang up and use the established methods within your organization to contact them for verification.
Yahoo
2 hours ago
- Yahoo
Chinese hackers and user lapses turn smartphones into a 'mobile security crisis'
WASHINGTON (AP) — Cybersecurity investigators noticed a highly unusual software crash — it was affecting a small number of smartphones belonging to people who worked in government, politics, tech and journalism. The crashes, which began late last year and carried into 2025, were the tipoff to a sophisticated cyberattack that may have allowed hackers to infiltrate a phone without a single click from the user. The attackers left no clues about their identities, but investigators at the cybersecurity firm iVerify noticed that the victims all had something in common: They worked in fields of interest to China's government and had been targeted by Chinese hackers in the past. Foreign hackers have increasingly identified smartphones, other mobile devices and the apps they use as a weak link in U.S. cyberdefenses. Groups linked to China's military and intelligence service have targeted the smartphones of prominent Americans and burrowed deep into telecommunication networks, according to national security and tech experts. It shows how vulnerable mobile devices and apps are and the risk that security failures could expose sensitive information or leave American interests open to cyberattack, those experts say. 'The world is in a mobile security crisis right now,' said Rocky Cole, a former cybersecurity expert at the National Security Agency and Google and now chief operations officer at iVerify. 'No one is watching the phones.' US zeroes in on China as a threat, and Beijing levels its own accusations U.S. authorities warned in December of a sprawling Chinese hacking campaign designed to gain access to the texts and phone conversations of an unknown number of Americans. 'They were able to listen in on phone calls in real time and able to read text messages,' said Rep. Raja Krishnamoorthi of Illinois. He is a member of the House Intelligence Committee and the senior Democrat on the Committee on the Chinese Communist Party, created to study the geopolitical threat from China. Chinese hackers also sought access to phones used by Donald Trump and running mate JD Vance during the 2024 campaign. The Chinese government has denied allegations of cyberespionage, and accused the U.S. of mounting its own cyberoperations. It says America cites national security as an excuse to issue sanctions against Chinese organizations and keep Chinese technology companies from the global market. 'The U.S. has long been using all kinds of despicable methods to steal other countries' secrets,' Lin Jian, a spokesman for China's foreign ministry, said at a recent press conference in response to questions about a CIA push to recruit Chinese informants. U.S. intelligence officials have said China poses a significant, persistent threat to U.S. economic and political interests, and it has harnessed the tools of digital conflict: online propaganda and disinformation, artificial intelligence and cyber surveillance and espionage designed to deliver a significant advantage in any military conflict. Mobile networks are a top concern. The U.S. and many of its closest allies have banned Chinese telecom companies from their networks. Other countries, including Germany, are phasing out Chinese involvement because of security concerns. But Chinese tech firms remain a big part of the systems in many nations, giving state-controlled companies a global footprint they could exploit for cyberattacks, experts say. Chinese telecom firms still maintain some routing and cloud storage systems in the U.S. — a growing concern to lawmakers. 'The American people deserve to know if Beijing is quietly using state-owned firms to infiltrate our critical infrastructure,' U.S. Rep. John Moolenaar, R-Mich. and chairman of the China committee, which in April issued subpoenas to Chinese telecom companies seeking information about their U.S. operations. Mobile devices have become an intel treasure trove Mobile devices can buy stocks, launch drones and run power plants. Their proliferation has often outpaced their security. The phones of top government officials are especially valuable, containing sensitive government information, passwords and an insider's glimpse into policy discussions and decision-making. The White House said last week that someone impersonating Susie Wiles, Trump's chief of staff, reached out to governors, senators and business leaders with texts and phone calls. It's unclear how the person obtained Wiles' connections, but they apparently gained access to the contacts in her personal cellphone, The Wall Street Journal reported. The messages and calls were not coming from Wiles' number, the newspaper reported. While most smartphones and tablets come with robust security, apps and connected devices often lack these protections or the regular software updates needed to stay ahead of new threats. That makes every fitness tracker, baby monitor or smart appliance another potential foothold for hackers looking to penetrate networks, retrieve information or infect systems with malware. Federal officials launched a program this year creating a 'cyber trust mark' for connected devices that meet federal security standards. But consumers and officials shouldn't lower their guard, said Snehal Antani, former chief technology officer for the Pentagon's Joint Special Operations Command. 'They're finding backdoors in Barbie dolls,' said Antani, now CEO of a cybersecurity firm, referring to concerns from researchers who successfully hacked the microphone of a digitally connected version of the toy. Risks emerge when smartphone users don't take precautions It doesn't matter how secure a mobile device is if the user doesn't follow basic security precautions, especially if their device contains classified or sensitive information, experts say. Mike Waltz, who departed as Trump's national security adviser, inadvertently added The Atlantic's editor-in-chief to a Signal chat used to discuss military plans with other top officials. Secretary of Defense Pete Hegseth had an internet connection that bypassed the Pentagon's security protocols set up in his office so he could use the Signal messaging app on a personal computer, the AP has reported. Hegseth has rejected assertions that he shared classified information on Signal, a popular encrypted messaging app not approved for the use of communicating classified information. China and other nations will try to take advantage of such lapses, and national security officials must take steps to prevent them from recurring, said Michael Williams, a national security expert at Syracuse University. 'They all have access to a variety of secure communications platforms,' Williams said. "We just can't share things willy-nilly.'
