Sign in / up

back to article ZipRecruiter has been flying low: User email addresses exposed to unauthorised accounts

Tinder for job-seekers ZipRecruiter has copped to a data breach after the names and email addresses of job-seekers were flung to the wind in a permissions screw-up. The company – which claims over seven million active job-seekers each month and 40 million job alert email subscribers – has been running since 2010 with …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. doublelayer Silver badge

    October? That's a while

    So they became aware of this back in October, and sent notification in December? If they were able to find and fix the bug in ninety minutes, which seems entirely plausible and not at all some random low number that someone made up, surely they could have identified the people whose data was read in two hours and sent them and the relevant oversight offices notification in three. What were they doing in these intervening months? By the way, isn't there some new regulation around that says notification should be sent in 72 hours or less? The protection of data or something like that? No, I must be imagining things.

    6 0 Reply
    1. A.P. Veening Silver badge
      Reply Icon

      Re: October? That's a while

      "By the way, isn't there some new regulation around that says notification should be sent in 72 hours or less?"

      Yup, GPDR, first report should be within 72 hours. It doesn't need to be complete yet, as that might require more time, but those 72 hours for a first report are pretty hard.

      5 0 Reply
      1. FrogsAndChips Silver badge
        Reply Icon

        Re: October? That's a while

        The 72 hours are to notify the supervisory authority (ICO), and it's not actually a 'must', but a 'where feasible'. On this occasion, the incident was discovered on Friday 5th and notified to the ICO on Tuesday 9th, so a bit more than 72 hours but this could be justified by the time to check if the bug had actually been exploited.

        For communications to the individuals, it's 'without undue delay'.

        5 0 Reply
  2. devTrail

    Small issue

    This seems a really small issue. Employees of companies who have paid access to the data usually vacuum everything and sell them outside, so the data is going to end up in a lot of creepy DBs anyway. Who's been subscribed to job boards like Monster, Indeed or Jobserve should now it by experience. This bug might hurt ZipRecruiter earnings, but for the job-seekers it will be the same.

    Subscriptions on social media or these kind of services should always be done with email accounts created only for that purpose, even better if you have an email service that allows you to create a lot of aliases (but usually you have to pay for it).

    0 3 Reply
    1. cd
      Reply Icon

      Re: Small issue

      I let Zip have an ancient junkmail address to try their listings, it chose a query I didn't do on purpose, one it tried to get me to choose which had nothing to do with what I was actually looking to browse. Several other spammy recruiters sent me "offers" for that query immediately and constantly. I did get Zip to kill my "account" and it went away after a while.

      Their offerings appear to me mostly atmosphere with some BTU's added.

      "Small" only if you have extra email addresses and extra resources, which many unemployed do not.

      1 0 Reply
      1. devTrail
        Reply Icon

        Re: Small issue

        "Small" only if you have extra email addresses and extra resources, which many unemployed do not.

        As I wrote the same problems happen if you subscribe with any job board, often even applying for a role via the careers page of a big employer is enough to trigger the spam. Even worse, a couple of times I had cold calls from recruiters who claimed they had a role right for me and wanted to forward my CV (but never explained how the got it and how they got my phone number), after 10/15 minutes of discussion they started asking if I had outstanding applications and eventually I realized they were just liars looking for information.

        The recruitment market is a cynical machine that takes the resources of the job seekers anyway.

        0 0 Reply
    2. Doctor Syntax Silver badge
      Reply Icon

      Re: Small issue

      "Employees of companies who have paid access to the data usually vacuum everything and sell them outside, so the data is going to end up in a lot of creepy DBs anyway."

      And they will find themselves on the wrong end of GDPR.

      0 0 Reply
      1. devTrail
        Reply Icon

        Re: Small issue

        And they will find themselves on the wrong end of GDPR.

        Which is never enforced.

        Actions are taken against small spammers because they make the news and don't hurt real business, the real purpose of GDPR (which was protecting the citizens from the corporations advantage over information) is most of the times disregarded.

        0 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    So funny!

    Steve Gibson from the "Security Now!" podcast shills for them. I guess taking advertising money for a podcast beats out recommending secure products for his listeners.

    4 0 Reply
    1. katrinab Silver badge
      Reply Icon

      Re: So funny!

      Ah, that explains everything.

      0 0 Reply
  4. Pascal Monett Silver badge
    Thumb Down

    ZipRecruiter

    One more name to put on my Never Deal With list.

    1 0 Reply
    1. Doctor Syntax Silver badge
      Reply Icon

      Re: ZipRecruiter

      "One more name to put on my Never Deal With list."

      A "Deal With" list is easier to maintain and takes less space.

      0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like