Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Cisco Resets Passwords on Careers Portal

Cisco last week prompted a password reset for the user accounts on its Cisco Professional Careers mobile website after a security researcher discovered a vulnerability in the portal.

Cisco last week prompted a password reset for the user accounts on its Cisco Professional Careers mobile website after a security researcher discovered a vulnerability in the portal.

The networking giant decided to reset the user passwords to ensure that accounts are kept secure, and says that the issue would have resulted in exposing “a limited set of job application-related information.” Cisco says that it doesn’t believe that the exposed information was accessed by anyone else than the researcher who discovered the security flaw.

The issue, Cisco said, was the result of an incorrect security setting following system maintenance on a third party website. As soon as it became aware of the issue, the company corrected the setting and prompted the user password reset on the website.

The flaw was discovered by an independent security researcher, and a combined investigation in the matter revealed that the incorrect settings were in place twice: from August 2015 to September 2015, and from July 2016 to August 2016.

In the breach notification to users, the company revealed that exposed data included the user name, address, email, phone number, username and password, answers to security questions, education and professional profile, cover letter and resume text, and voluntary information, where available (gender, race, veteran status, and disability).

The company says that only the researcher who discovered the bug is believed to have had access to the exposed information, but it did tell users that an instance of unexplained, anomalous connection to the server determined it to take precautionary measures.

On November 2, the company decided to alert its users on the matter, prompting them to reset their passwords upon their next login to the mobile Professional Careers website by clicking “Forgot My Password.” On top of that, the company has decided to disable access to the site using security questions.

“We recommend that affected users take precautionary steps noted below to protect their identity. Cisco takes its responsibility to protect information seriously. We apologize for any inconvenience this incident may cause,” the company said.

Advertisement. Scroll to continue reading.

According to Cisco, users receiving the warning email should reset their passwords on other websites as well, especially if they tend to use the same password on multiple websites. In fact, the company says, they should update their login credentials, passwords, and security questions and answers for any other websites on which they use the same credentials and information as the Cisco Professional Careers mobile website.

In the meantime, Cisco continues to investigate and monitor the incident, while also taking steps to mitigate such incidents from occurring in the future. The company also says that it will update the exposed information as soon as additional details emerge.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.