Xobin leak: screening job applicants with AI, but storing personal data in an open bucket


The AI-powered HR tech company Xobin, which specializes in software for screening, shortlisting, and interviewing job applicants, has inadvertently exposed half a million job seekers through an unsecured Google Cloud Storage bucket. Private data, including national IDs, passport copies, and resumes, were publicly accessible for months.

On August 5th, 2024, the Cybernews Research Team discovered a misconfigured Google Cloud Storage bucket storing an enormous amount of files – 47 million in total. The instance belonged to Xobin, an Indian tech firm that provides pre-employment skill assessment tools for multiple major tech companies.

Inside the exposed database, researchers uncovered what amounted to a cybercriminal’s treasure trove. The compromised files included the following:

ADVERTISEMENT
  • 18,000 CSV and XLSX files containing personally identifiable information (PII) of 523,074 unique job applicants, revealing their full names, phone numbers, email addresses, and skill assessment test results. These records detailed the company and position applied for, test scores, date, and CGPA (Cumulative Grade Point Average) measure.
  • 3,129 copies of Passports or National IDs paired with Permanent Account Numbers (PAN) – a crucial piece of identity documentation in India, equivalent to a US Social Security Number or UK National Insurance Number in the UK.
  • 18,629 resumes/CVs, including comprehensive personal information provided by the applicants, such as full name, date of birth, home address, phone number, occupation history, and others.

“The misconfigured bucket was unveiled during a routine investigation using standard OSINT methods. It was open for the public, meaning any outsider could find indexes on search engines and access the data,” Cybernews researchers said.

Despite multiple attempts to contact the company, the disclosures remained unaddressed for several months, leaving the personal data vulnerable.

“It’s unclear how long the data was left open. The instance was closed on November 4th, almost three months after it was discovered and initially disclosed, increasing the likelihood that other parties, including cybercriminals, may have accessed it,” our researchers said.

Cybernews has contacted Xobin for a comment but has not yet received a response.

Xobin positions itself as “one of the world's most trusted online assessment software for pre-employment testing and job skill assessments” and lists many well-known companies among its clients, including Toyota, Ericsson, the University of Toronto, Domino’s, and others. According to its website, the firm serves two million test takers per year for more than 1,200 customers from 45 countries.

exposed-id-xobin

Prolonged exposure carries significant consequences

ADVERTISEMENT

Professionals who have used the Xobin platform in the past should be aware that cybercriminals may take the opportunity to profit from them. The leaked information is extremely detailed and can be used for financial fraud, account takeover, and multiple other potential attacks.

“You can name all the cyber threats: identity theft, spear phishing, doxxing, social engineering, and many other forms of fraud. The leaked personal information includes sensitive details, and job seekers are particularly vulnerable. Scammers can impersonate legitimate recruiting agencies, offer enticing fraudulent jobs, and perform other targeted fraudulent activities leading to potentially devastating financial and personal repercussions,” Cybernews researchers said.

While only Xobin can confirm which individuals were affected and whether any external actors might have accessed the data, Cybernews researchers advise all platform users to enable multi-factor authentication (MFA) on important accounts and regularly monitor their financial statements and credit reports.

exposed-data-xobin

“Never click on suspicious links or respond to unexpected notifications, emails, or messages requesting you to approve access, enter codes, or take any other action,” the researchers said. “Attackers often exploit MFA fatigue by flooding users with login attempts, and all they need is one mistake. If you notice unusual login attempts, immediately change your passwords, check authorized devices, and reset all active sessions.”

justinasv Paulius Grinkevicius Konstancija Gasaityte profile Gintaras Radauskas
Don’t miss our latest stories on Google News

Put a lid on data buckets

Cloud storage misconfiguration errors often signal poor cybersecurity hygiene and a lack of proper authentication protocols.

For companies relying on cloud resources for sensitive data, Cybernews researchers recommend the following:

  • Access Restriction – limit access to the cloud storage bucket by changing permissions to ensure that only authorized personnel can access the data.
  • Monitor retrospectively access logs to assess whether the bucket has been accessed by unauthorized actors.
  • Enable server-side encryption for the bucket to ensure that data stored within it is encrypted at rest. Use secure key management service. Use SSL/TLS for data in transit. Additionally, consider implementing client-side encryption for added security, especially for highly sensitive data.
  • Establish a schedule for regular security audits and reviews of all cloud storage buckets to proactively identify and address any security risks or vulnerabilities. This can help prevent future data leaks and ensure ongoing compliance with security best practices.
  • Consider implementing security best practices and compliance with strong security frameworks and certifications.
ADVERTISEMENT

Disclosure timeline

  • August 5th, 2024: Leak discovered.
  • August 12th, 2024: Initial disclosure email sent, and multiple follow-up emails followed.
  • November 4th: Access to the data was closed.