5.7M files with resumes exposed after hiring platform forgot the password

Last updated: 15 May 2025
HireClick data leak
Image by Cybernews

Millions of resumes from a hiring platform were left online, offering scammers job seekers' private data.

Cybernews researchers have uncovered a massive data leak, which was traced back to HireClick, a recruitment platform for small to mid-sized businesses. The platform helps businesses manage job listings, candidate applications, and the hiring process.

The company left over 5.7 million files wide open for anyone on the internet thanks to a misconfiguration of Amazon AWS S3 storage bucket. The leaked files exposed sensitive and private information of job seekers, mainly resumes.

ADVERTISEMENT

What personal data HireClick leaked?

  • Full names
  • Home addresses
  • Email addresses
  • Phone numbers
  • Employment information

How does the leak affect HireClick clients?

With resumes, email addresses and phone numbers up for grabs, this leak is a goldmine for scammers.

In the wrong hands, the leaked data could power everything from identity theft and impersonation to phishing, vishing, and smishing campaigns, where attackers pose as hiring managers to exploit desperate job seekers.

Victims can potentially receive fraudulent emails that look like real job offers, asking candidates to “verify” their identity with scans of IDs, Social Security numbers, or even banking info to set up direct deposit.

sample data

Using the leaked phone numbers, scammers can pose as recruiters or HR representatives, talking the victims into revealing their banking information or installing money-stealing malware on their devices.

ADVERTISEMENT

Fraudsters can use leaked resumes to create fake identities, conduct employment verification scams, or even gain access to workplace systems by impersonating job applicants.

The risk doesn’t stop at data theft. This kind of leak enables doxxing, the malicious exposure of private information to harass or intimidate individuals. With full names, emails, phone numbers, and physical addresses in hand, attackers could easily find and target victims online.

Researchers could not determine for how long the bucket was publicly accessible. Cybernews has tried multiple times to contact the company, but received no response.

Recruitment platforms are leaking data

This is not the first instance when job seekers' private data has been spilled online. Previous research by Cybernews revealed that Foh&Boh, a US hiring platform used by KFC, Taco Bell, and Hyatt Grand, has exposed millions of applicants’ resumes, revealing all they wanted to share with potential employers.

Another research uncovered that Take Valley News Live, a North Dakota-based television station , exposed sensitive job seekers data to anyone on the internet.

Just in the beginning of May,, one of the largest employment platforms in Europe beWanted, exposed a trove of sensitive details, revealing job seekers’ personal information, ranging from names to national ID numbers.

Last year, a Singapore-based remote hiring platform Snaphunt leaked over two hundred thousand CVs of job candidates dating from 2018 to 2023.

Leak discovered: February 27th, 2025
Initial disclosure: February 28th, 2025
CERT contacted: March 10th, 2025

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
What kind of toys will Mattel make with OpenAI – and should we be worried?
Iranians refuse to be kept in the dark amid government internet restrictions
Adobe launches Firefly app to bring AI image and video tools onto phones
Noyb takes German privacy regulators to court over delays in 'Pay or Okay' ad consent cases
Crypto exploiter snatched $133K after creating $25M worth of tokens
It’s all of them: Amazon CEO Jassy also tells employees AI will shrink workforce
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked