Cisco prompted a password reset for the user accounts on its Cisco Professional Careers mobile website after a security researcher discovered a vulnerability in the portal.
The networking giant decided to reset the user passwords to ensure that accounts are kept secure, and says that the issue would have resulted in exposing “a limited set of job application-related information.” Cisco says that it doesn’t believe that the exposed information was accessed by anyone else than the researcher who discovered the security flaw.
The issue, Cisco said, was the result of an incorrect security setting following system maintenance on a third party website. As soon as it became aware of the issue, the company corrected the setting and prompted the user password reset on the website.
The flaw was discovered by an independent security researcher, and a combined investigation in the matter revealed that the incorrect settings were in place twice: from August 2015 to September 2015, and from July 2016 to August 2016.
In the breach notification to users, the company revealed that exposed data included the user name, address, email, phone number, username and password, answers to security questions, education and professional profile, cover letter and resume text, and voluntary information, where available (gender, race, veteran status, and disability).
The company says that only the researcher who discovered the bug is believed to have had access to the exposed information, but it did tell users that an instance of unexplained, anomalous connection to the server determined it to take precautionary measures.
On November 2, the company decided to alert its users on the matter, prompting them to reset their passwords upon their next login to the mobile Professional Careers website by clicking “Forgot My Password.” On top of that, the company has decided to disable access to the site using security questions.
“We recommend that affected users take precautionary steps noted below to protect their identity. Cisco takes its responsibility to protect information seriously. We apologize for any inconvenience this incident may cause,” the company said.
According to Cisco, users receiving the warning email should reset their passwords on other websites as well, especially if they tend to use the same password on multiple websites. In fact, the company says, they should update their login credentials, passwords, and security questions and answers for any other websites on which they use the same credentials and information as the Cisco Professional Careers mobile website.
In the meantime, Cisco continues to investigate and monitor the incident, while also taking steps to mitigate such incidents from occurring in the future. The company also says that it will update the exposed information as soon as additional details emerge.