A major data leak has exposed millions of sensitive documents from HireClick, a recruitment platform used by small and medium-sized businesses across the U.S.
AWS Misconfiguration Leaves Personal Data Unprotected
Cybernews researchers discovered over 5.7 million files left exposed online due to a misconfigured Amazon S3 bucket managed by HireClick. The leaked files primarily consist of job seekers’ resumes containing personal and professional data.
The exposed information includes:
- Full names
- Home addresses
- Email addresses
- Phone numbers
- Employment and educational details
According to researchers, the data was publicly accessible to anyone with the link, presenting a serious privacy and security risk for millions of individuals.
Risks for Victims: Identity Theft, Phishing, and More
With such detailed personal data available, threat actors can exploit the leak in multiple ways:
- Phishing scams using fake job offers to extract IDs or bank details
- Vishing and smishing attacks posing as HR or recruiters
- Identity theft through resume-based impersonation
- Employment scams to trick companies or job seekers
- Doxxing and harassment using real names, addresses, and contact details
“This leak is a goldmine for scammers,” Cybernews noted, warning that attackers could manipulate the data for financial fraud and social engineering attacks.
The exact duration of public exposure remains unknown. Cybernews reached out to HireClick multiple times but has not received a response.
Growing Trend of Resume Data Leaks in Recruitment Sector
This incident adds to a growing list of resume-related data exposures across the job recruitment industry:
- Foh&Boh: A platform used by major brands like KFC and Taco Bell leaked millions of applicant resumes
- Valley News Live: A North Dakota TV station exposed applicant data publicly
- beWanted (Europe): Leaked resumes with names and national ID numbers in May 2025
- Snaphunt (Singapore): Exposed over 200,000 CVs from 2018 to 2023
Timeline of Events
- Leak discovered: February 27, 2025
- Initial disclosure: February 28, 2025
- CERT contacted: March 10, 2025
Despite the scale of the incident, HireClick has yet to issue a public statement.
