TalentHook, an American software developer specializing in finding candidates for HR departments, left its Azure cloud storage open. As a result, almost 26 million resumes became publicly available. Among them are full names, addresses, phone numbers, employment history, education and other confidential information. The leak can become a tool for phishing, fraud, identity theft and even blackmail.
The cloud storage, discovered by Cybernews researchers, contained tens of millions of files, most of which were resumes of US citizens. All this data became freely available through an incorrectly configured Azure Blob container. Among the data that became available:
full names
email addresses
mobile numbers
home addresses
education and work information
professional skills
Experts warn that such detailed personal information opens the way to highly accurate phishing attacks, fake job-offer letters, phishing for bank details, ID documents, or even imitation employers who “demand payment for training or verification.” TalentHook is a recruiting management system (ATS) created by the Nevada company Resource Edge. Their tool helps recruiters automate the search for candidates. But in January 2025, a leak was discovered in the system’s cloud container.
TalentHook became an example of how one poorly secured container can jeopardize the entire job search ecosystem. A resume is not just a PDF file. It is a set of keys to a person’s digital identity. And until recruiting companies implement end-to-end encryption, access audits, and activity monitoring — such leaks will be repeated.
