September 17th 2021
We are sorry to tell you that last week we learned of a security breach resulting in personal information of members between 2004 and 2018 on Ajarn being accessed by an unauthorised third party.
Exposed information
We have never stored credit card, debit card or bank account details on Ajarn so we can confirm that such data was NOT accessed as part of the breach.
The information exposed in the breach included names, email addresses, hashed passwords and the language preferences of members who joined the site between January 25th 2004 and December 13th 2018. Additional data belonging to members with public resumes stored on Ajarn was also exposed including gender, marital status, date of birth, nationality, location (country), phone number, photo, work experience, educational experience, details of jobs applied for and other application data including, in some cases, messages to recruiters. The names, contact names, addresses and company registration numbers of recruiters were also exposed in the data breach.
We have reported this incident to the Ministry of Digital Economy and Society and to ThaiCERT (the Computer Security Incident Response Team) who have logged details of this incident and may provide us with further guidance and instruction following their own investigations.
Passwords
Passwords on Ajarn are "hashed" meaning that they are not visible as plain text. Hashing is a standard practice used by most websites and in most cases it prevents passwords from being revealed. However, with enough effort it may be possible for the original password contained in a hash to be determined. As a precaution, we will ask everyone who registered before December 13th 2018 to create a new password the next time they sign in.
If you are using -- or have ever used -- the same password on Ajarn as you used for other sites, apps or services then we highly recommend that you change your passwords for those accounts too. It is best practice to use a different password for each website / service that you use. Allowing your web browser or a password manager to suggest a random password is generally preferable to creating your own password.
We have now implemented additional security measures
After becoming aware of the details of this incident this month, we have been in consultation with a number of international web security experts in order to understand how the breach occurred and also to prevent further incidents in the future. Following these consultations, we concluded that our server infrastructure is secure, but we identified a vulnerability in our web application software which we believe facilitated the breach. This vulnerability has now been fixed.
Going forward, we will be using the services of external providers to conduct regular scans of our systems in addition to our own internal checks to ensure that an incident like this cannot occur again.
Please be cautious
We would like to ask all of our members to be cautious as it is possible that someone might try to contact you and attempt to gain your confidence with the information that they have accessed. Aside from our advice about changing your passwords (above) we would also like to ask that you report any suspicious contact to us immediately. If you are suspicious about any communication you receive from us, please get in touch with us via the website contact form and we will be able to tell you whether or not the communication is genuine.
This page will be updated with any additional relevant information as it becomes available.
We are very sorry that this has happened and for any inconvenience or concern that it has caused you. If you have any questions or worries about this incident, please get in touch with us and we will be happy to help in any way that we can.