ADVERTISEMENT

Xobin leak: screening job applicants with AI, but storing personal data in an open bucket

The AI-powered HR tech company Xobin, which specializes in software for screening, shortlisting, and interviewing job applicants, has inadvertently exposed half a million job seekers through an unsecured Google Cloud Storage bucket. Private data, including national IDs, passport copies, and resumes, were publicly accessible for months.

Xobin leak

Image by Cybernews.

Ernestas Naprys
Ernestas Naprys Senior Journalist
Nov 14, 2024 Updated: 8 December 2025 3 min read
  • 18,000 CSV and XLSX files containing personally identifiable information (PII) of 523,074 unique job applicants, revealing their full names, phone numbers, email addresses, and skill assessment test results. These records detailed the company and position applied for, test scores, date, and CGPA (Cumulative Grade Point Average) measure.
  • 3,129 copies of Passports or National IDs paired with Permanent Account Numbers (PAN) – a crucial piece of identity documentation in India, equivalent to a US Social Security Number or UK National Insurance Number in the UK.
  • 18,629 resumes/CVs, including comprehensive personal information provided by the applicants, such as full name, date of birth, home address, phone number, occupation history, and others.
exposed-id-xobin

Prolonged exposure carries significant consequences

ADVERTISEMENT
exposed-data-xobin
justinasv Paulius Grinkevičius B&W Konstancija Gasaityte Gintaras Radauskas
Don’t miss our latest stories on Google News
Add us as your Preferred Source on Google.

Put a lid on data buckets

  • Access Restriction – limit access to the cloud storage bucket by changing permissions to ensure that only authorized personnel can access the data.
  • Monitor retrospectively access logs to assess whether the bucket has been accessed by unauthorized actors.
  • Enable server-side encryption for the bucket to ensure that data stored within it is encrypted at rest. Use secure key management service. Use SSL/TLS for data in transit. Additionally, consider implementing client-side encryption for added security, especially for highly sensitive data.
  • Establish a schedule for regular security audits and reviews of all cloud storage buckets to proactively identify and address any security risks or vulnerabilities. This can help prevent future data leaks and ensure ongoing compliance with security best practices.
  • Consider implementing security best practices and compliance with strong security frameworks and certifications.

Disclosure timeline

  • August 5th, 2024: Leak discovered.
  • August 12th, 2024: Initial disclosure email sent, and multiple follow-up emails followed.
  • November 4th: Access to the data was closed.
ADVERTISEMENT