The issue is with part of ZipRecruiter’s site that enables a business with authorization to access the CV database to contact the person seeking a job. After an employer gets online and accesses a resume, they can decide to shortlist some of the candidates when they are provided with a candidate form. The problem is that unauthorized users are able to access the form while not having access to the CV database.
“On October 5th, we discovered that certain employer user accounts that were not intended to have access to the CV Database were able to obtain access to information including the first name, last name and email addresses of some job seekers who had submitted their CVs to our CV database,” said ZipRecruiter in a statement. Thankfully enough no financial data or login credentials were accessed in this breach and ZipRecruiter was able to fix the bug within 90 minutes.
Binary Defense Recommendation: Users need to be vigilant as to what they respond to. Attackers can pose as employers and access information that is not intended for them. Since no financial information was accessed in this breach, bank accounts should be safe, but to be on the safe side users may still want to monitor their account.