A Security researcher has uncovered a vulnerability in Naukri.com’s mobile API that leaked recruiter email addresses. While the bug has been swiftly fixed, the incident raises critical concerns over data exposure risks in India’s leading job-matching ecosystem.
The Discovery: A Researcher Stumbles on a Data Leak in India’s Largest Job Portal
India’s most popular job recruitment platform, Naukri.com, recently patched a serious security vulnerability that left recruiter email addresses exposed via its mobile applications. The flaw, discovered by a cybersecurity researcher , does not impact the website version of Naukri.com but instead lay hidden within its mobile API used by both Android and iOS apps.
Accordingly the API flaw allowed any user whose profile was viewed by a recruiter to access that recruiter’s email ID without authorization. The exposed recruiter email IDs could be exploited for highly targeted phishing campaigns Gowda told. He also warned of broader risks: the data could be scraped into breach databases, sold to spammers, or used by malicious bots for scam campaigns.
While no abnormal exploitation of this vulnerability has been detected yet, the mere availability of such sensitive recruiter contact information posed a significant privacy risk—especially on a platform that handles millions of job seekers and HR professionals.
What Was at Risk: Trust, Privacy, and the Exploitation of Professional Identities
For a platform like Naukri.com—which processes personal and corporate information at a massive scale—the exposure of recruiter data creates not only privacy hazards but also reputational vulnerabilities. Recruiters could have become targets of spam campaigns, impersonation attempts, and spear-phishing attacks—particularly those in high-level hiring roles or from major companies.
While the bug affected only mobile app users, its presence in such a widely used interface magnifies the impact. Naukri.com is not just another job board; it is India’s largest employment marketplace, boasting millions of monthly users and hosting sensitive data for employers and job seekers alike.
The concern here wasn’t the quantity of leaked data—but the quality and potential misuse. A single exposed corporate email could open the door to a social engineering campaign that compromises internal HR systems or leads to malware-laced job offers being sent to job seekers in retaliation.
And unlike leaks of resumes or contact numbers, recruiter IDs represent the source of trust on job platforms. A compromised recruiter account can deceive hundreds of applicants.
The Response: Naukri Fixes Fast, But Raises Questions About Mobile API Hygiene
InfoEdge, Naukri.com’s parent company, responded promptly after disclosure of the flaw. Within days, the vulnerability was patched. Alok Vij, Head of IT Infrastructure at InfoEdge, assured the public that “all identified enhancements are implemented” and that no unusual activity was detected on their systems.
He emphasized that Naukri’s systems are “updated and resilient,” and that regular audits and security assessments are a standard practice. “Certain features of our recruiter profiles are designed to be public,” Vij clarified, “to enable users to know who has access to their profile(s).”
ALSO READ: FCRF Launches Campus Ambassador Program to Empower India’s Next-Gen Cyber Defenders
While Naukri deserves credit for the quick fix and public acknowledgment, the episode highlights an ongoing issue in digital platforms—inadequate scrutiny of mobile APIs, which often operate with different data exposure settings than their web counterparts. With mobile usage surging in India’s job tech landscape, ensuring API-level security hygiene is no longer optional.
Naukri.com, founded in 1997 and serving markets in both India and the Middle East, has long stood as a pioneer in online recruitment. But in today’s environment of rising cyber threats, especially those targeting employment data and corporate contacts, trust is no longer built solely on functionality—it is earned through transparency and proactive cybersecurity.