A publicly accessible AWS S3 bucket, reportedly belonging to Spanish job platform bewanted, may have exposed sensitive documents of over 1.1 million job seekers from Europe and Latin America. The issue was first reported by TechRadar, based on findings by cybersecurity researchers. While the exposed bucket was confirmed to be open to the public, bewanted has since reached out to us, asserting that access was swiftly revoked and no data was exfiltrated.
The leak, first discovered on November 12, 2024, includes a trove of sensitive data such as full names, national ID numbers, phone numbers, email addresses, and other personal identifiers. Despite repeated disclosure attempts, the data remained publicly accessible for at least six months.
beWanted is headquartered in Madrid, Spain, and operates globally with offices in Germany, Mexico, and the UK. The company markets itself as “the largest Talent Pool ecosystem in the world,” offering SaaS-based recruitment tools for employers and job seekers.
What Data Was Exposed?
According to the Cybernews research team, the vast majority of the leaked files were CVs and resumes submitted by users of the platform. Each file typically included:
- Full name and surname
- Phone number
- Email address
- Date of birth
- Home address
- National ID number
- Nationality
- Place of birth
- Links to social media profiles
- Educational background
- Employment history
“This exposure creates multiple attack vectors, enabling cybercriminals to engage in identity theft, where personal information can be used to create synthetic identities or fraudulent accounts,” researchers said.
The leaked national identification numbers reportedly include citizens from Spain, Argentina, Guatemala, Honduras, and other nations, indicating the breach’s international scope.
Serious Risks of Identity Theft and Phishing
Researchers warned that the exposed data could enable multiple forms of cybercrime. These include:
- Identity theft through the use of leaked national IDs and contact information
- Synthetic identity fraud, using real personal data to build fake digital personas
- Phishing attacks tailored using authentic personal information
- Social engineering, by impersonating recruiters or infiltrating professional networks
“The leak increases the potential for social engineering attacks, as attackers can impersonate fake recruitment agencies or leverage the leaked data to infiltrate professional networks,” the team added.
Timeline of the Incident
- Leak discovered: November 12, 2024
- Initial disclosure to company: November 28, 2024
- National CERT contacted: February 3, 2025
- Data status (updated): AWS S3 Bucket Secured as of May 8th, 2025.
The researchers confirmed that despite multiple attempts to notify beWanted, the exposed data had not been secured at the time of publication.
Response from bewanted
After our initial report, bewanted‘s Chief Technology Officer (CTO) reached out to Daily Security Review to provide additional context and an official statement regarding the reported exposure.
“We became aware of the news about the potential vulnerability through the TechRadar article published on May 8, 2025 (accessible here). Immediately upon learning this information (at approximately 18:00 UTC+2 on May 8th), access to the improperly secured bucket was cut off, even though this temporarily impacted service availability. We prioritized data security. The solution was fully implemented, and the properly secured service was restored last Friday, May 9, 2025. We have been conducting exhaustive internal testing since Friday and can confirm that the solution is definitive. Furthermore, to the best of our knowledge and following relevant investigations, no data leakage has occurred.”
We appreciate the response from bewanted and will continue to monitor the situation for any updates.
Recommended Security Measures
To reduce risk and prevent similar exposures, the team outlined the following mitigation steps for cloud storage security:
- Restrict Public Access: Remove all public permissions and enable Public Access Prevention.
- Implement Access Controls: Apply least privilege principles and assign permissions only to authorized users.
- Monitor Access Activity: Enable audit logs and set up alerts for suspicious activity.
- Enable Data Encryption: Use server-side encryption and manage keys securely with Google Cloud KMS.
- Enforce Secure Transmission: Mandate SSL/TLS for all file transfers.
- Conduct Regular Audits: Review cloud settings using tools like Google Cloud Security Command Center.
Editor’s Note: This article has been updated on May 16th, 2025 to include a statement from bewanted, who assert that no data was exfiltrated and that the misconfiguration has been fully resolved.
