Connect with us

Hi, what are you looking for?


Application Security

Cisco Resets Passwords on Careers Portal

Cisco last week prompted a password reset for the user accounts on its Cisco Professional Careers mobile website after a security researcher discovered a vulnerability in the portal.

Cisco last week prompted a password reset for the user accounts on its Cisco Professional Careers mobile website after a security researcher discovered a vulnerability in the portal.

The networking giant decided to reset the user passwords to ensure that accounts are kept secure, and says that the issue would have resulted in exposing “a limited set of job application-related information.” Cisco says that it doesn’t believe that the exposed information was accessed by anyone else than the researcher who discovered the security flaw.

The issue, Cisco said, was the result of an incorrect security setting following system maintenance on a third party website. As soon as it became aware of the issue, the company corrected the setting and prompted the user password reset on the website.

The flaw was discovered by an independent security researcher, and a combined investigation in the matter revealed that the incorrect settings were in place twice: from August 2015 to September 2015, and from July 2016 to August 2016.

In the breach notification to users, the company revealed that exposed data included the user name, address, email, phone number, username and password, answers to security questions, education and professional profile, cover letter and resume text, and voluntary information, where available (gender, race, veteran status, and disability).

The company says that only the researcher who discovered the bug is believed to have had access to the exposed information, but it did tell users that an instance of unexplained, anomalous connection to the server determined it to take precautionary measures.

On November 2, the company decided to alert its users on the matter, prompting them to reset their passwords upon their next login to the mobile Professional Careers website by clicking “Forgot My Password.” On top of that, the company has decided to disable access to the site using security questions.

Advertisement. Scroll to continue reading.

“We recommend that affected users take precautionary steps noted below to protect their identity. Cisco takes its responsibility to protect information seriously. We apologize for any inconvenience this incident may cause,” the company said.

According to Cisco, users receiving the warning email should reset their passwords on other websites as well, especially if they tend to use the same password on multiple websites. In fact, the company says, they should update their login credentials, passwords, and security questions and answers for any other websites on which they use the same credentials and information as the Cisco Professional Careers mobile website.

In the meantime, Cisco continues to investigate and monitor the incident, while also taking steps to mitigate such incidents from occurring in the future. The company also says that it will update the exposed information as soon as additional details emerge.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.