Data leak at beWanted exposes 1.1 Million job seekers' personal information
Take action: This is why your company MUST have responsible disclosure channel to be able to quickly react to reported issues.
Learn More
A data security leak has been reported involving beWanted, one of the largest employment platforms in Europe. The company describes itself as "the largest Talent Pool ecosystem in the world" and operates as a Software-as-a-Service (SaaS) enabled business that connects job seekers with potential employers.
The Cybernews research team discovered an unprotected Google Cloud Storage bucket belonging to beWanted that contained more than 1.1 million files, primarily consisting of CVs and resumes of job seekers from various countries including Spain, Argentina, Guatemala, Honduras, and others. The team discovered the exposed instance in November 2024, and despite numerous attempts to contact beWanted, the database "remains publicly accessible." This means the sensitive data has been sitting wide open on the internet for at least six months.
The exposed data includes:
- Full names
- Phone numbers
- Email addresses
- Postal addresses
- Dates of birth
- National ID numbers
- Nationalities
- Places of birth
- Social media links
- Employment history
- Educational background
This exposure creates multiple attack vectors, enabling cybercriminals to engage in identity theft, spear phishing attacks, bank fraud attempts and scams. It's not known malicious actors have already accessed and potentially stolen the exposed data during this extended period of vulnerability.
The Cybernews research team tried contacting beWanted multiple times to alert them about the security issue and get the company to lock down the database, but the firm never responded to their inquiries.
- November 2024: Cybernews research team discovers the exposed database
- Multiple attempts to contact beWanted with no response
- May 2025: The data still remains publicly accessible, approximately six months after discovery
No information is currently available about whether beWanted has notified relevant data protection authorities or the affected individuals about this breach, as would typically be required under applicable data protection laws.
Update - on 13th of May 2025, a representative of beWanted signed as Miguel Ángel RM reached out via email to BeyondMachines to declare that they first learned of the incident on May the 8th from the TechRadar article. Per the email, the data bucket was secured on May the 8th, even though the immediate fix caused service disruption for beWanted, and the definitive fix was implemented on May the 9th. The representative claims that to the best of their knowledge and investigations, no data leakage has occurred.
No clarification was provided on why earlier attempts for reporting from Cybernews have not initiated a remediation action.
