If you want to work at Microsoft, then you likely have visited Microsoft Careers. The backend database for the mobile version of Microsoft\u2019s jobs portal was misconfigured, exposing user information and leaving the site vulnerable to attack.Security researcher Chris Vickery has a knack for exposing leaky databases, such as the one that put 13 million MacKeeper users at risk, another which exposed personal information of 191 million voters, yet another that held 18 million voter records with targeted profile data, and one that exposed 140,000 class and student records from Southern New Hampshire University. He also once discovered a leaked Hello Kitty database with 3.3 million user accounts, some belonging to kids.This time, Vickery said he found another misconfigured MongoDB database which exposed registered users\u2019 information and had write-access to the contents of the database.Microsoft uses the third-party mobile development company Punchkick Interactive to maintain the mobile version of its Careers website. Punchkick handles databases for other companies as well; Vickery\u2019s screenshot of the database shows other companies such as Marriot, Ritz, and CareerBuilder, but he honed in on Microsoft \u201cdue to the probability of that portion having the most impact.\u201dFor at least a \u201cfew weeks,\u201d the database for the mobile version of Microsoft\u2019s Careers site was \u201cexposed to the open Internet and required no authentication at all to access,\u201d wrote Vickery. Besides exposing information, it was \u201cserving potentially arbitrary HTML;\u201d the MongoDB database was not write-protected \u2013 meaning \u201can attacker could have modified the database.\u201dHe added:The ability to craft arbitrary HTML into an official Microsoft careers webpage is, to say the least, a powerful find for a would-be malicious hacker. This situation is the classic definition of a potential watering hole attack.In that scenario, any number of browser exploits could be launched against unsuspecting job-seekers. It would also be a fantastic phishing opportunity, as people seeking jobs at Microsoft probably tend to have higher value credentials.Regarding such exposed credentials in Punchkick\u2019s database, Vickery chose a Microsoft manager\u2019s credentials to offer up as proof of the severity of the problem to Microsoft. He sent an email to Microsoft which contained a \u201cscreenshot showing the name, email address, password hash, and issued tokens for Microsoft\u2019s Global Employment Brand Marketing Manager, Karrie Shepro.\u201dThe good news is that it took only about an hour after Vickery sent an email to Punchkick for the company to lock down the database.Vickery frequently uses the Shodan search engine to find insecure MongoDB databases. Shodan founder John Matherly has warned that there are at least 35,000 publicly accessible and insecure MongoDB databases, resulting in 684.8 TB of data exposed. However, Matherly noted that MongDB is not the only poorly configured database, as \u201cRedis, CouchDB, Cassandra and Riak are equally impacted by these sorts of misconfigurations.\u201d Researchers from Switzerland-based BinaryEdge discovered there was about 1.1 petabytes of data exposed from just four misconfigured database management systems: MongoDB, Redis, Memcached, and Elasticsearch.The takeaway from Vickery\u2019s most recently reported misconfigured MongoDB database, which could have ended up giving Microsoft a black eye, is that if a company uses third-party services, a security hole in their product \u201ccan quickly become a hole in your security.\u201d Board members and executives are well aware of the problem, with 90% of those surveyed by Veracode saying cyber liability should land on third parties when the flaws are in their software. Yet only 65% have set up liability clauses with third-party providers.