TalentHook, an applicant tracking system, exposed nearly 26 million US job seekers’ resumes containing sensitive personal information due to a misconfigured cloud storage instance. This data leak significantly increases the risk of identity theft, fraud, and targeted phishing attacks for those affected.
A severe data breach was discovered involving TalentHook, a cloud-based applicant tracking system. The Cybernews research team found a misconfigured Azure Blob storage container that had been left openly accessible, exposing close to 26 million files, predominantly resumes of job seekers in the United States. This significant oversight by TalentHook, a company owned by Resource Edge, a Nevada-based software provider, has made a vast amount of personal data vulnerable.
The exposed resumes contained a wealth of sensitive personal information that job seekers typically include in their CVs.
This includes full names, email addresses, phone numbers, educational backgrounds, professional details, and complete employment histories. Such a comprehensive collection of personal data presents a serious risk, as malicious actors can easily exploit it for various nefarious activities, including identity theft, financial fraud, and impersonation.
The implications of this data exposure are far-reaching. With access to detailed personal information, attackers can craft highly convincing phishing campaigns, sending fraudulent emails or SMS messages, or even making fake job offers designed to trick individuals into revealing even more sensitive data like ID scans or banking details. Furthermore, the exposure of home addresses and phone numbers raises the significant risk of doxxing, where individuals’ private details are publicly revealed against their will, potentially leading to harassment or intimidation.
To address this critical security flaw, the Cybernews team has provided several recommendations for TalentHook.
These include changing access controls to restrict public access, updating permissions to ensure only authorized users can view the data, and retrospectively monitoring access logs to identify any unauthorized access. They also advise implementing server-side encryption, using secure key management, and adopting ongoing security best practices such as regular audits, automated security checks, and employee training to prevent future breaches.
Reference:
