Expresspros.com (Express Employment International)
Plaintext passwords are still a thing unfortunately and this company exposed millions of them.
Who is Expresspros?
“Founded in 1983 and headquartered in Oklahoma City, Express Employment International supports the Express Employment Professionals franchise and related brands. The Express franchise brand is an industry-leading, international staffing company with franchise locations across the U.S., Canada, South Africa, Australia and New Zealand. Express International boasts a team of more than 300 professionals in Oklahoma City, and a network of sales and support teams internationally.
Express Employment Professionals, our flagship franchise, has more than 850 franchise locations and began franchising in 1985 to deliver staffing support and human resource services through a network of franchise office owners.
Express helps people find good jobs and companies find good people, and offers a full range of employment solutions, including evaluation hire, temporary staffing, professional search, and human resources for businesses around the globe. Focusing on a wide range of positions, Express' long-term goal is to put a million people to work annually.” from their LinkedIn page.
This company was also formerly known as Expresspersonnel.com (Express Personnel Services) but has since rebranded, in 2008, according to this article: Link
Finding the exposed data
On November 18th while looking for database backups exposed on my logs I noticed a server exposing a couple of backups that were around 5GB in size together so I went to check what they contained. I also checked to see for how long I had this server flagged and it looks like I only flagged it once, on October 21st 2024.
Examining the data
This server contained 2 compressed database backups that I’m not 100% what they are supposed to belong to, since the two contained data that didn’t look duped between them even though the tables were identical. One contained plaintext credentials to a DB with the domain expresspersonnel.com and the other for the domain franchises.expresspersonnel.com, the plaintext passwords of the users are mostly unique between them, so I’ll give some details on the data exposed in both, separately.
The first backup
This backup was the biggest of the 2 files, a bit over 4GB in size and was the backup that contained creds for a DB related to the domain franchises.expresspersonnel.com.
The top 20 tables in terms of records:
3,935,820 AppUserEmployment 3,930,697 AppUserApplyHistory 3,794,622 AppUserReferences 3,271,339 WebUserContactNotes 3,262,788 Phone 3,260,160 Phone_PrePhoneObfuscate 2,719,750 AppUserEducation 2,367,781 Email 2,365,169 Email_PreEmailObfuscate 2,212,106 Address 2,044,015 WebUserMaster 1,978,182 WebUserDateAvailable 1,636,186 AppUserGeo 1,596,290 AppUserSurvey 1,595,480 AppUserMaster 1,458,564 WebUserResumeXml 1,298,188 AppUserJobProfileLog_Archive 1,185,570 AppUserJobProfileLog 991,241 WebUserQuestLinks 698,338 WebJobs
I’ll explain what was inside some of this tables:
AppUserEmployment
This was the biggest table with close to 4 million records and contained the columns:
sDateWorkStart, sDateWorkEnd, sCompanyName, sCompanyCity, sCompanySt, sCompanyCntry, sCompanyPhone, sProdandServices, sSuperName, sSuperTitle, sJobTitleStart, sJobTitleEnd, sJobPayStart, sJobPayEnd, sTimeInPosition, sJobDuties, sReasonLeft, cCanContactCompany, sUserUpdate, dtDateLastUpdate
This contained data related to peoples previous employments such as how much they were paid, how long they worked there for, why they left and contacts to their previous employers as well as supervisor names.
WebUserMaster
This table contained the User information, with just over 2 million records that contained the columns:
iIndCtlNum, sLoginName, sPassword, dtDateSetInactive, iActive, sSecurityQuestion, sSecurityAnswer, sFirstName, sMiddleName, sLastName, iUserType, iPrimaryLang, dtDateUpdate, sUserUpdate, dtDateCreate, sUserCreate, sSessionId, iIndCtlNumOld, iPIN, UserId, iPreferredContactMethod
If you are wondering why the password field is redacted it’s because the passwords were in plaintext.
I would give out some more detailed statistics on the passwords used but I don’t want to help people brute out their clients accounts and I also don’t know if the company requested a password reset or not. Lets just say the password policy for this company was quite questionable, at least back in 2017.
The unique number of passwords was: 1,638,467
This table also contained first, middle and last name as well as security questions and answers, those answers a lot of time won’t change over time, a person simply doesn’t change their mother’s maiden name.
Email_PreEmailObfuscate
The email table contained the user emails obfuscated, but there was another table with them pre obfuscation. This also contained links to their respective user.
This table contained 1,798,395 unique emails and the top 10 domains were:
1,047,964 gmail.com 425,380 yahoo.com 92,056 hotmail.com 35,233 aol.com 26,069 icloud.com 24,607 outlook.com 16,051 live.com 13,408 ymail.com 8,234 comcast.net 7,056 msn.com
The full list of email domains and counts: https://pastebin.com/DsBPFgpL
Other tables
WebUserResumeXml
The almost 1.5m records inside this table were peoples resumes in XML format.
Phone_PrePhoneObfuscate
Just like emails, there was a table with obfuscated phones then another with them pre obfuscation.
Total unique phone numbers: 2,105,482
Address
This contained peoples personal addresses and links to their respective user account.
Total unique street names: 1,705,293
The second backup
This backup was just under 1GB in size and contained the creds for the DB related to the domain expertpersonnel.com.
Top 20 tables in terms of records:
2,848,322 AppUserApplyHistory 2,845,620 AppUserEmployment 2,441,333 AppUserReferences 1,838,533 Phone 1,377,316 Email 1,308,440 WebUserMaster 1,218,986 Address 1,159,857 AppUserMaster 996,116 AppUserSurvey 834,110 AppUserEducation 477,474 WebJobs 244,428 AppUserJobProfiles 179,804 TimeSheetStatus 60,086 TimeSheet 59,459 TimeSheetValidation 8,803 TimeSheetErrorLog 6,163 Relation 3,701 Constants 2,232 TimeCapture 1,344 DailyTotal
This backup contained both email and phone obfuscated and no pre obfuscation data.
The user table contained 904,985 unique passwords, again in plaintext. It also contained all the columns the other backup did.
The user creation dates on both databases spanned from 2004 to mid 2017.
The total amount of unique passwords between both backups was: 2,439,744
Notifying the company
After verifying what I was looking at looked legit and I confirmed the data was from Expresspros, I notified the company through the emails I could find online, including their CEO.
Around 12h after my email the exposure was closed.
I waited for a week for any type of reply and since I didn’t get any I emailed the company again on November 25th asking some questions regarding this incident.
On this email I asked the company a couple of questions:
- Since you were exposing millions of your clients passwords in plaintext, did you notify them to reset their passwords or do you have logs that confirm no one got access to this data and therefore there is no need to notify them. - Do you intend to disclose this incident publicly at all and if so can you give me a timeline of when that will happen.
I also invited the company to provide an official comment that I could add to this post.
After the follow up email I got some reply, kinda.
privacyrequest@expresspros.com replied to my initial November 18th email, on November 25th with the following non sense:
“Thank you for contacting Express. This email is only for Privacy Requests. Please contact your local Express office”
I don’t understand why am I being redirected to contact a local office and they wouldn’t just forward this to someone themselves, when my email clearly states I’m a researcher and I’m trying to report a security issue to them, but I told them I didn’t have any local office nor did I need to contact one as this was closed soon after my initial email. I also explained why I emailed that specific email in the first place:
“Not sure if your company violating the privacy of millions of their users is considered a "Privacy Request" but this email was linked on the Privacy Policy page of your company.”
I did not get any other replies to my emails.
How long was this exposed for and did anyone else find it?
I can verify this was exposed at least since October 21st 2024 until November 18th 2024. All the files inside the server were uploaded around May 2017, does this mean the server was initially exposed back then? Only Expresspros would have an answer to that as well as if someone else accessed this data or not.
I asked but never got a reply.
Final notes
This did not come from any public feed but I have no idea if someone else found this.
If you had an account with Expresspros and think you might have used the same password elsewhere I would advise you to change it. Also if you haven’t changed your Expresspros password since 2017, you might want to change that as well, as I can’t verify if this was accessed by someone else or not.
At the time of posting this, I still haven’t got a proper reply from the company, will update the post if that changes.