A misconfigured cloud storage bucket at HireClick exposed 5.7 million job seeker resumes, putting personal data in the hands of potential scammers.
What happened
A data leak involving the recruitment platform HireClick has exposed over 5.7 million resume files due to a misconfigured Amazon AWS S3 storage bucket. The breach left sensitive personal data of job seekers publicly accessible online, creating a lucrative opportunity for scammers and cybercriminals.
Cybernews researchers discovered the exposure, which included resumes and contact details submitted by applicants through the platform. HireClick, which caters to small and mid-sized businesses, has not yet responded to multiple attempts for comment.
Going deeper
The leaked data included full names, home addresses, phone numbers, email addresses, and employment histories, exactly the type of information that powers identity theft and targeted scams. With this much detail, attackers can easily impersonate recruiters, launch phishing or smishing campaigns, or trick victims into sharing additional sensitive information under the guise of job verification processes.
Scammers may exploit this breach to send fraudulent emails pretending to offer jobs and ask for Social Security numbers, banking info, or ID scans. The exposure also opens doors to more aggressive tactics like doxxing or impersonation scams that could harm both individuals and the companies they apply to.
It’s unclear how long the data was exposed. What is clear is that no authentication was required to access the information, and thousands of job seekers’ data were left vulnerable to exploitation.
What was said
Cybernews emphasized the severity of the breach: the resumes weren’t just accessible, they were openly indexed on a cloud bucket without any protection. Researchers have repeatedly tried to contact HireClick to alert them and encourage remediation, but have not received a response. The silence raises concerns about the company’s security practices and its commitment to data protection.
The big picture
This isn’t an isolated incident. Leaks involving hiring platforms have become more frequent. From Foh&Boh, used by brands like KFC and Hyatt, to beWanted in Europe and Snaphunt in Singapore, millions of job seekers have had their resumes and personal details exposed.
As more people rely on digital platforms to find work, and companies offload hiring to third-party services, even a small misconfiguration like an unsecured cloud bucket can have major consequences.
FAQs
What should I do if I submitted a resume to HireClick?
Monitor for suspicious emails, texts, or calls. Be cautious with job offers asking for personal information, and consider placing a fraud alert with credit bureaus.
How can I tell if my information was part of the leak?
HireClick has not released a list of affected individuals. If you used the platform recently, assume your data may have been exposed and take precautions.
What types of scams could result from leaked resume data?
Common scams include fake job offers, phishing attempts for financial or identity documents, and impersonation tactics using your employment history.
Why are misconfigured cloud buckets such a frequent problem?
Cloud storage platforms like AWS give flexibility, but without proper configuration or access controls, data can be exposed to anyone with the link or indexing tools.
Who is responsible for protecting resume data on hiring platforms?
The hiring platform (in this case, HireClick) is responsible for ensuring secure data storage and timely breach disclosure under data protection laws.
Farah Amod
