Raymond James Ltd.
On March 24, 2021, an unknown adversary gained access to the Organization?s Employer Portal on the Indeed.com (Indeed) job-posting platform. Indeed was notified immediately. Access to the Organization?s Employer Account was frozen by Indeed. Password changes were implemented by the Organization. The adversary had access to the Organization?s Employer Portal for approximately 2 hours and 15 minutes on March 24, 2021. During that period of compromise, the adversary sent out the first batch of phishing emails to the Indeed tokenized emails of 3,818 applicants on the Portal. The phishing email sent by the adversary requested the applicants to send their cover letters and resumes to the adversary?s email address of firstname.lastname@example.org. The adversary also scraped and exported those tokenized emails and used them outside of the Organization?s Employer Portal on March 25, 2021 to directly send a second batch of phishing emails to those applicants. In addition, with access to the Organization?s Indeed portal messaging mailbox communication history / application submissions, the adversary could have allowed harvested CVs/resumes of job applicants. Indeed was unable to provide logs to confirm if applications or mailbox communication history was accessed. The Organization does not utilize the Indeed mailbox for communication and instead uses its own email system. Ninety-six (96) individuals emailed the Organization to indicate that they had sent personal information to the adversary in response to that phishing email. However, only 18 of those 96 provided the Organization with appropriate evidence of harm. The root cause was an Organization password, which did not follow the Organization?s password requirements/ standards. There was also a lack of multi-factor authentication.