Find a job, lose your data: hundreds of thousands of CVs leaked


Snaphunt, a remote hiring platform, has leaked over two hundred thousand CVs. The leak exposes job seekers' personal data and puts them at high risk of identity theft.

The Cybernews research team discovered a misconfigured Amazon AWS S3 bucket on August 5th. It contained over 280,000 files, including resumes of job candidates dating from 2018 to 2023.

The leaking storage bucket was attributed to Singapore-based recruitment platform Snaphunt, which operates globally and caters to clients and job seekers across various regions, including Asia, Europe, and the Middle East.

ADVERTISEMENT

The platform connects employers with job seekers using AI and data-driven tools to match candidates with job opportunities based on their skills, experience, and preferences.

The exposed resumes contained a treasure trove of private information. They were left freely accessible to anyone on the internet, putting job seekers at severe risk.

Snaphunt data leak
Number of leaked files. Source: Cybernews

What data was leaked?

  • Full Names
  • Phone Numbers
  • Email Addresses
  • Date of Birth
  • Nationality and Place of Birth
  • Social Media Links
  • Employment history and educational background

Threat actors could use such highly sensitive information for identity theft, where personal information can be used to create fake identities or fraudulent accounts.

The extensive background information about the victims makes them vulnerable to sophisticated spear phishing attacks. Criminals could exploit the leak to impersonate legitimate organizations or individuals, leading to unauthorized access to financial accounts, credentials, or additional sensitive data.

Snaphunt data leak
Leaked CV. Source: Cybernews
ADVERTISEMENT

“The potential for social engineering attacks is elevated, as attackers can impersonate fake recruitment agencies or leverage the leaked data to infiltrate professional networks, spreading malware or extracting further confidential information,” explained one Cybernews researcher.

Cybernews contacted the company, and access to private data has since been secured. An official comment is yet to be received.

Disclosure timeline:

  • August 27th, 2024: Initial disclosure email sent.
  • September 9th, 2024: Access to storage closed to the public.