Massive Data Leak at HireClick Exposes 5.7 Million Job Applications

A major data breach has been discovered at HireClick, a U.S.-based hiring platform used by small and mid-sized businesses. Over 5.7 million files, mostly resumes, were left exposed online due to a misconfigured Amazon S3 storage bucket. This serious error has exposed the personal details of job seekers to anyone with internet access.

The leaked files included full names, email addresses, phone numbers, physical addresses, and detailed resumes. These resumes also revealed employment history, education records, and references—a goldmine for cybercriminals.

The breach was uncovered by Cybernews researchers, who have tried multiple times to contact HireClick. However, the company has remained silent, failing to notify affected users or release a public statement. This lack of response raises alarms, as the leaked data can now be used for identity theft, impersonation, phishing scams, and online harassment.

Experts warn that scammers could now pretend to be HR personnel and trick people into sharing even more sensitive documents like ID proofs, Social Security numbers, or banking information. There's also a growing fear of doxxing, where attackers could use personal information to harass or blackmail victims.

This is not the first time a hiring platform has exposed sensitive user data. Similar breaches have occurred in recent years:

• Foh&Boh, used by major brands like KFC and Hyatt, exposed job application data online.

• Valley News Live, a news outlet in North Dakota, leaked personal details due to poor security.

• In Europe, beWanted revealed sensitive information, including national ID numbers.

• In 2023, Singapore-based Snaphunt exposed over 200,000 CVs.

These repeated breaches show a serious issue in how recruitment platforms store and protect data. Many job seekers don’t even know how long their information is kept or who can access it.

With no official word from HireClick, questions are being raised about possible violations of data protection laws like the California Consumer Privacy Act (CCPA) or the GDPR, especially if users outside the U.S. are involved.

Cybersecurity experts say the damage is already done. Even if the exposed storage is now secured, the files may have been copied or sold on the dark web, putting affected individuals at long-term risk.

This incident is a strong reminder of the need for better data security in the recruitment industry—and the right of job seekers to know how their personal information is being handled.