Recruiting software maker exposes nearly 26M resumes

Last updated: 7 July 2025
TalentHook leaks millions of resumes
Image by Cybernews.

TalentHook, a cloud-based applicant tracking system, left a misconfigured instance open. It spilled tens of millions of job seekers’ CVs, full of personal details ranging from full names to home addresses.

Restarting a career can involve nuisances far more damaging than mere rejection. For example, the Cybernews research team has uncovered a misconfigured Azure Blob storage container with nearly 26 million files, most of which are US job seekers’ resumes.

The team attributed the exposed container to TalentHook, an applicant tracking software maker, which connects HR departments with individuals seeking work. TalentHook is owned by Resource Edge, a Nevada-based software solutions provider.

ADVERTISEMENT
Stefanie Marcus Walsh profile Niamh Ancell BW chrissw
Get our latest stories today on Google News
Google News Follow us

We have reached out to the company for comment and will update the article once we receive a reply.

“The detailed personal information in the exposed resumes enables attackers to conduct highly targeted phishing campaigns. Email addresses and phone numbers can be used in phishing emails, SMS scams, or fraudulent job offers, tricking individuals into revealing sensitive information such as ID scans or banking details,” the team said.

What job seekers’ data was exposed?

Most of the files exposed via the misconfigured container are CVs, which, unsurprisingly, means that the information there is the usual details any job seeker would provide, including:

  • Full names
  • Email addresses
  • Phone numbers
  • Education
  • Professional details
  • Employment history

Malicious actors can exploit the exposed details for nefarious purposes, such as identity theft, fraud, or impersonation. Moreover, attackers could pose as potential employers or hiring managers, requesting payments for fake job applications, background checks, or training programs.

TalentHook leaked data sample
Image by Cybernews.
ADVERTISEMENT

Additionally, exposing personal details such as home addresses and phone numbers elevates the risk of doxxing, a practice where individuals’ details are revealed online against their will. In extreme cases, this may lead to malicious actors harassing or intimidating people who had their details leaked online.

To mitigate the issue, the team advises TalentHook to:

  • Change the access controls to restrict public access and secure the container.
  • Update permissions to ensure that only authorized users or services have the necessary access.
  • Retrospectively monitor access logs to assess whether the bucket has been accessed by unauthorized actors.
  • Enable server-side encryption to protect data at rest.
  • Use Microsoft Azure Key Vault for managing encryption keys securely.
  • Consider implementing security best practices, including regular audits, automated security checks, and employee training.
  • Leak discovered: January 7th, 2025
  • Initial disclosure: April 2nd, 2025
  • CISA contacted: April 9th, 2025
  • CERT contacted: May 13th, 2025
Share
Post
Share
Share
Share
More from Cybernews
Most cyber incidents stem from the same 10% of employees, study finds
Popular fitness app Fitify exposes 138K user progress photos
California mulls banning AI companions like Grok's "waifu"
WeTransfer changes its terms again after being suspected of fishy use of content
Former US soldier pleads guilty to hacking telecom companies
“I know what normal looks like:” Microsoft trains AI to scan breasts
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked