A misconfigured Amazon S3 bucket belonging to HireClick, a U.S.-based recruitment platform for small and mid-sized businesses, has resulted in one of the largest known leaks of job applicant data. With over 5.7 million files exposed—primarily resumes—the leak is a goldmine for cybercriminals and a ticking time bomb for identity theft, impersonation scams, and online harassment.
A Recruitment Misstep with Massive Consequences
Cybernews researchers recently uncovered a massive breach of sensitive job seeker data, traced back to HireClick—a recruitment software provider used by thousands of small and mid-sized businesses across the United States. The source of the breach? A publicly accessible Amazon AWS S3 storage bucket that contained over 5.7 million files, many of which included resumes, full names, email addresses, phone numbers, and even physical addresses of candidates.
This misconfiguration left sensitive data wide open to anyone with an internet connection. In response to repeated outreach attempts by Cybernews, HireClick has maintained silence, failing to issue a public statement or alert affected users—potentially exposing millions to months, if not years, of digital vulnerability.
Also Read: Attention Startups! Showcase Your Smart Policing Solutions on India’s Biggest Stage
The Human Cost: Phishing, Identity Theft, and Doxxing
While the breach might seem like another line in the endless scroll of cyber incidents, the impact on individuals is far more severe. Resumes often include detailed employment histories, education records, and even references, all of which can be exploited for identity theft, impersonation, and social engineering attacks.
Security experts warn that attackers could use this treasure trove of information to launch phishing and smishing campaigns, posing as HR personnel or recruiters, luring job seekers into sharing even more sensitive documents like government IDs, Social Security numbers, or banking details under the guise of onboarding procedures.
There’s also a real danger of doxxing—where attackers use personal data to target, intimidate, or harass victims. With complete profiles of unsuspecting job seekers now exposed, online harassment and blackmail have become tangible threats.
A Pattern of Negligence Across the Industry
HireClick’s breach is the latest in a disturbing trend of recruitment platforms mishandling personal data. In recent years, Cybernews has uncovered similar incidents across the globe:
- Foh&Boh, used by major brands like KFC, Taco Bell, and Hyatt, was found exposing resumes and applicant data without proper security.
- Valley News Live, a North Dakota media outlet, also leaked personal job application data through poor configuration.
- European platform beWanted revealed candidate information including national ID numbers in a breach earlier this year.
- In 2023, Singapore-based Snaphunt exposed over 200,000 CVs, some dating back five years.
The consistency of these leaks signals a systemic problem in how recruitment tech handles personal information—especially given that many applicants are unaware of how long or where their data is stored.
No Response, No Resolution
As of now, HireClick has not responded to Cybernews’ inquiries or issued a breach notification to users, raising serious concerns about compliance with data protection laws like the California Consumer Privacy Act (CCPA) or GDPR, should any EU users be affected.
Cybersecurity experts emphasize that even once the exposed bucket is secured, the damage is already done. The files could have been scraped, downloaded, and sold on the dark web, opening a long window for fraud, impersonation, and harassment.