AI-focused recruitment platform exposes half a million job seekers

News
By published

Xobin left a database exposed online for at least 3 months

Businessman holding a magnifier and searching for a hacker within a business team.
(Image credit: Shutterstock)
  • Xobin left a database publicly exposed online for at least three months
  • The database was filled with the PII of over 500,000 job applicants
  • Identification documents and passports were included in the files

Days after a database containing the personally identifiable information (PII) of millions of jobseekers was uncovered, another half million may have been exposed by a different company.

The unprotected files were found by Cybernews researchers, and contain the PII of over 500,000 job applicants, including resumes, scans of passports, and copies of identification documents.

The files were left exposed by AI-powered HR tech company Xobin, and despite numerous alerts to the public database, remained open and accessible for almost three months.

Xobin responsible for some big names

The researchers say Xobin counts Toyota, Ericsson, the University of Toronto, and Domino’s as some of its clients, among many other companies and organizations.

It isn’t known how long the database was left exposed before discovery, but Cybernews first discovered the database on August 5 and issued an immediate alert, with the database only being taken down on November 4.

The files were stored in a misconfigured Google Cloud Storage bucket. In total, 18,000 CSV and XLSX files were uncovered which included the job applications of 523,074 people, with each application including full names, phone numbers, and email addresses.

Moreover, 3,129 copies of passports and IDs with Permanent Account Numbers - the Indian equivalent of US social security numbers.

18,629 resumes were found, each containing further details on each applicant. If the database was accessed by malicious actors, it could be used along with other PII for social engineering, spearphishing attacks, extortion, financial fraud, and account takeover, particularly if an individual is known to be seeking or earning a high wage.

“You can name all the cyber threats: identity theft, spear phishing, doxxing, social engineering, and many other forms of fraud. The leaked personal information includes sensitive details, and job seekers are particularly vulnerable. Scammers can impersonate legitimate recruiting agencies, offer enticing fraudulent jobs, and perform other targeted fraudulent activities leading to potentially devastating financial and personal repercussions,” Cybernews researchers said.

You might also like

Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.