AI-focused recruitment platform exposes half a million job seekers

News
By published

Xobin left a database exposed online for at least 3 months

Businessman holding a magnifier and searching for a hacker within a business team.
(Image credit: Shutterstock)
  • Xobin left a database publicly exposed online for at least three months
  • The database was filled with the PII of over 500,000 job applicants
  • Identification documents and passports were included in the files

Days after a database containing the personally identifiable information (PII) of millions of jobseekers was uncovered, another half million may have been exposed by a different company.

The unprotected files were found by Cybernews researchers, and contain the PII of over 500,000 job applicants, including resumes, scans of passports, and copies of identification documents.

The files were left exposed by AI-powered HR tech company Xobin, and despite numerous alerts to the public database, remained open and accessible for almost three months.

Xobin responsible for some big names

The researchers say Xobin counts Toyota, Ericsson, the University of Toronto, and Domino’s as some of its clients, among many other companies and organizations.

It isn’t known how long the database was left exposed before discovery, but Cybernews first discovered the database on August 5 and issued an immediate alert, with the database only being taken down on November 4.

The files were stored in a misconfigured Google Cloud Storage bucket. In total, 18,000 CSV and XLSX files were uncovered which included the job applications of 523,074 people, with each application including full names, phone numbers, and email addresses.

Moreover, 3,129 copies of passports and IDs with Permanent Account Numbers - the Indian equivalent of US social security numbers.

18,629 resumes were found, each containing further details on each applicant. If the database was accessed by malicious actors, it could be used along with other PII for social engineering, spearphishing attacks, extortion, financial fraud, and account takeover, particularly if an individual is known to be seeking or earning a high wage.

“You can name all the cyber threats: identity theft, spear phishing, doxxing, social engineering, and many other forms of fraud. The leaked personal information includes sensitive details, and job seekers are particularly vulnerable. Scammers can impersonate legitimate recruiting agencies, offer enticing fraudulent jobs, and perform other targeted fraudulent activities leading to potentially devastating financial and personal repercussions,” Cybernews researchers said.

You might also like

Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict has been with TechRadar Pro for over two years, and has specialized in writing about cybersecurity, threat intelligence, and B2B security solutions. His coverage explores the critical areas of national security, including state-sponsored threat actors, APT groups, critical infrastructure, and social engineering.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the Centre for Security and Intelligence Studies at the University of Buckingham, providing him with a strong academic foundation for his reporting on geopolitics, threat intelligence, and cyber-warfare.

Prior to his postgraduate studies, Benedict earned a BA in Politics with Journalism, providing him with the skills to translate complex political and security issues into comprehensible copy.