ZipRecruiter has been flying low: User email addresses exposed to unauthorised accounts

Tinder for job-seekers ZipRecruiter has copped to a data breach after the names and email addresses of job-seekers were flung to the wind in a permissions screw-up.

The company – which claims over seven million active job-seekers each month and 40 million job alert email subscribers – has been running since 2010 with operations in the US and UK. In 2012 it had helped 10,000 employers fill positions. By 2017 that number had exceeded one million.

But with impressive growth comes impressive growing pains, and a permissions cock-up at ZipRecruiter has meant that hopeful job-seekers, having uploaded their CV, have had their personal details shared in a way they might not have expected.

In the email, sent to those lucky users and seen by The Register, the company says:

On October 5th, we discovered that certain employer user accounts that were not intended to have access to the CV Database were able to obtain access to information including the first name, last name and email addresses of some job seekers who had submitted their CVs to our CV database.

Whoops!

The problem is with the part of ZipRecruiter's site that allows an employer with permission to access the database of CVs to contact a candidate. Obviously, having admired the sheen of a turd buffed to a high gloss CV of a candidate, an employer will want to get in touch. To that end, ZipRecruiter provides a contact form, helpfully populated with the name and email address of the hopeful individual.

It appears that the Email Candidate form can also be accessed by users who have not ponied up the cash for access to the CV library. Those users can still search for job-seekers, but only see limited information depending on what a candidate has volunteered. This could be the candidate's first name, last three employers and city and country.

But thanks to the permissions whoopsie, that unauthorised user could also potentially get to the candidate's full name and email address.

ZipRecruiter professed itself "not certain of the purpose of the unauthorised access" but speculated with breathtaking insight that the information "could be utilised to send you spam or phishing emails".

The company was quick to point out that the information accessed does not include any login credentials or financial information, and that its security team stomped on the bug 90 minutes after it was found. The ICO was notified on 9 October and the company has been picking through its records ever since, working out which users have had the spotlight of spammers shone on their details.

As for what to do, well, the company has told affected users:

The goal of this communication is not to alarm you or deter you from responding to potential employers; rather, we want you to be a little more vigilant when considering whether or not to respond to a potential communication, in light of the unauthorised access to your full name and email address.

So that's alright then.

We contacted ZipRecruiter to find out how many users had been affected, but other than a slightly nasal recording telling us our call may be recorded before abruptly hanging up, the company has remained incommunicado. We can but hope ZipRecruiter is a tad more helpful when it comes to paying customers.

As for the UK's Information Commissioner's Office (ICO), a spokesperson told us: "ZipRecruiter, Inc has made us aware of an incident and we will consider the facts."

Register reader Steve, who was one of the lucky job hunters to receive an "oopsie" email, observed: "It's always so f*cking special to get pwned when you're looking for work."

It is indeed, Steve. It is indeed. ®