A misconfigured cloud storage bucket at HireClick exposed 5.7 million job seeker resumes, putting personal data in the hands of potential scammers.
A data leak involving the recruitment platform HireClick has exposed over 5.7 million resume files due to a misconfigured Amazon AWS S3 storage bucket. The breach left sensitive personal data of job seekers publicly accessible online, creating a lucrative opportunity for scammers and cybercriminals.
Cybernews researchers discovered the exposure, which included resumes and contact details submitted by applicants through the platform. HireClick, which caters to small and mid-sized businesses, has not yet responded to multiple attempts for comment.
The leaked data included full names, home addresses, phone numbers, email addresses, and employment histories, exactly the type of information that powers identity theft and targeted scams. With this much detail, attackers can easily impersonate recruiters, launch phishing or smishing campaigns, or trick victims into sharing additional sensitive information under the guise of job verification processes.
Scammers may exploit this breach to send fraudulent emails pretending to offer jobs and ask for Social Security numbers, banking info, or ID scans. The exposure also opens doors to more aggressive tactics like doxxing or impersonation scams that could harm both individuals and the companies they apply to.
It’s unclear how long the data was exposed. What is clear is that no authentication was required to access the information, and thousands of job seekers’ data were left vulnerable to exploitation.
Cybernews emphasized the severity of the breach: the resumes weren’t just accessible, they were openly indexed on a cloud bucket without any protection. Researchers have repeatedly tried to contact HireClick to alert them and encourage remediation, but have not received a response. The silence raises concerns about the company’s security practices and its commitment to data protection.
This isn’t an isolated incident. Leaks involving hiring platforms have become more frequent. From Foh&Boh, used by brands like KFC and Hyatt, to beWanted in Europe and Snaphunt in Singapore, millions of job seekers have had their resumes and personal details exposed.
As more people rely on digital platforms to find work, and companies offload hiring to third-party services, even a small misconfiguration like an unsecured cloud bucket can have major consequences.
Monitor for suspicious emails, texts, or calls. Be cautious with job offers asking for personal information, and consider placing a fraud alert with credit bureaus.
HireClick has not released a list of affected individuals. If you used the platform recently, assume your data may have been exposed and take precautions.
Common scams include fake job offers, phishing attempts for financial or identity documents, and impersonation tactics using your employment history.
Cloud storage platforms like AWS give flexibility, but without proper configuration or access controls, data can be exposed to anyone with the link or indexing tools.
The hiring platform (in this case, HireClick) is responsible for ensuring secure data storage and timely breach disclosure under data protection laws.