ZipRecruiter data breach saw job seekers’ personal data leaked

  • ZipRecruiter was hit by a data breach, as a result of which job seekers’ names and email addresses were exposed to unauthorized accounts.
  • The data accessed does not include any login credentials or financial information.

Online job portal ZipRecruiter’s mishandled permission led to unauthorized employee user accounts gaining access to their CV database as a result of which some job seekers who submitted their CV to ZipRecruiter had their data such as names and email addresses compromised.

What happened?

The problem is with part of ZipRecruiter's site that allows an employer with permission to access the CV database to contact a job seeker. After accessing candidates’ resumes, if the employer shortlists any of the candidates, then ZipRecruiter provides the employer with a candidate form. It appears that the candidate form can also be accessed by unauthorized users, who don't have access to the CV database.

“On October 5th, we discovered that certain employer user accounts that were not intended to have access to the CV Database were able to obtain access to information including the first name, last name and email addresses of some job seekers who had submitted their CVs to our CV database,” ZipRecruiter said in an email notification. The Register reported.

Moreover, the company confirmed that the data accessed did not include any login credentials or financial information. ZipRecruiter also said that it fixed the bug within 90 minutes of detecting it. The company also notified the Information Commissioner Office (ICO) about the breach.

“The goal of this communication is not to alarm you or deter you from responding to potential employers; rather, we want you to be a little more vigilant when considering whether or not to respond to a potential communication, in light of the unauthorized access to your full name and email address,” ZipRecruiter said.