Connect with us

Hi, what are you looking for?



Millions of User Records Stolen From 65 Websites via SQL Injection Attacks

The ResumeLooters hackers compromise recruitment and retail websites using SQL injection and XSS attacks.

Between November and December 2023, a threat actor successfully stole more than two million email addresses and other personal information from at least 65 websites, threat intelligence firm Group-IB reports.

Mainly relying on SQL injection attacks, the hacking group, tracked as ResumeLooters, has been active since early 2023, selling the stolen information on Chinese-speaking hacking-themed Telegram groups.

As part of the November-December campaign, the group primarily hit sites in India (12), Taiwan (10), Thailand (9), Vietnam (7), and China (3). However, it was also seen targeting victims in Australia, the Philippines, South Korea, Japan, US, Brazil, Russia, and Italy. 

The group mainly focused on compromising retail and recruitment websites, but victims in the professional services, delivery, real estate, and investment sectors were also identified.

The observed attacks resembled those launched by GambleForce, a threat actor relying on SQL injections to compromise gambling and government websites in Asia-Pacific.

The same as GambleForce, ResumeLooters was seen using various open source tools and penetration testing frameworks in its SQL injection attacks.

The main difference, however, is that ResumeLooters has also used XSS scripts injected into legitimate job search websites, meant to display phishing forms and harvest administrative credentials. The scripts were executed on at least four websites and on some devices with administrative access.

In one instance, the group created a fake employer profile on a recruitment website, and injected an XSS script using one of the fields in the profile. In another instance, XSS code was included in a fake CV.

Advertisement. Scroll to continue reading.

Through the injection of malicious SQL queries, the threat actor was able to retrieve databases containing close to 2.2 million rows, more than 500,000 of which represented user data from employment websites.

“ResumeLooters is confirmed to have stolen several databases containing 2,079,027 unique emails and other records, such as names, phone numbers, dates of birth, as well as information about job seekers’ experience and employment history,” Group-IB says.

Fueled by poor security and inadequate database management practices, these attacks demonstrate how much damage can be done with publicly available tools, Group-IB notes, pointing out that companies can easily avoid falling victims to groups like GambleForce and ResumeLooters.

“Aside from the potential exposure of job seekers’ data (including phone numbers, email addresses, and other personal information), various APT groups could leverage this information for the further targeting of specific individuals,” the cybersecurity firm notes.

Related: UN Warns Hundreds of Thousands in Southeast Asia Roped Into Online Scams

Related: Triple Threat: Insecure Economy, Cybercrime Recruitment and Insider Threats

Related: North Korea APT Lazarus Targeting Chemical Sector

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.