- A job company would have left millions of CVs in an AWS bucket accessible to the public
- FOH & BOH has partnerships with the main food and hotel services
- The data set is now closed, but users can always be at risk
A set of data containing 5.4 million narcotic files was discovered by online researchers and would mainly be CVS (CV) of the hiring of giant Foh & Boh.
Cybernews researchers discovered the AWS bucket accessible to the public containing the files exposed, and after “several attempts to reach the company”, the set of data was closed.
It is not clear if the malicious actors have accessed the set of data, but cybercriminals often have automated tools to scan the internet for unprotected instances, and download them immediately, so that the victims are always confronted with Very real risks – here is what we know so far.
A lot of personal data
The job platform, FOH & BOH, aims to “ find and recruit talents for the hotel industry ” and associates with independent restaurants, franchises, reception groups and “some of the most Large hotel chains in the world. The platform has partnerships with industry giants such as Nobu, Taco Bell and KFC.
Of course, CVs contain personally identifiable information (PII), and the research team claims that this leak includes complete names, telephone numbers, e-mail addresses, social media ties and stories of employment and education, among others.
The data was available online for a fairly large period, with discovery on September 16, 2024, initial disclosure on October 22, 2024, and the leak closed on January 8, 2025.
This, like all data leaks, leaves them exposed in danger. Mainly, concern is identity theft, especially since a CV is putting a full set of personal details on potential attackers.
“The leak considerably increases the risk of identity theft, allowing cybercriminals to create synthetic identities or fraudulent accounts, leaving individuals exposed to a range of sophisticated cyberattacks,” said researchers.
This may seem familiar to some, because only two days ago on February 4, 2025, a large set of data containing more than a million CV stored by Valley News Live was discovered, so it’s a pretty little week for job seekers.
Data violations have unfortunately become part of life for anyone on the web. In 2024, only one breach disclosed the details of 100 million Americans (although the total is now declared to 190 million – therefore almost 75% of American adults) – which simply shows that no one is sure.
Social engineering attacks are also a risk with raped references. These are generally in the form of phishing campaigns and is designed around the information that hackers have obtained, often seeming to know the victim personally or attacking people in difficult financial situations by offering scams “become rich quickly ยป.
“The attackers could develop highly personalized emails referring to the specific details of the work or the interests of the CVs, making their attempted phishing more and more convincing,” said the researchers. “This targeted approach could deceive candidates more easily, exposing them to new risks.”
How to stay safe
To protect yourself from the risk of identity theft, it is crucial to closely monitor all your accounts. Monitoring your cards, declarations and transactions for any suspicious activity means that you can quickly identify all the problems.
If a service you use has undergone a data violation, be sure to change your password – and probably your passwords on any site that would contain sensitive information. If you want some tips on how to choose a secure password, we have registered here.
In short, include capital letters and tiny, figures and special characters – and never reuse password, in particular for sites that carry important information such as health or financial data.
If all of this seems a bit overwhelming, we have tested all the best password managers and the best password generators to simplify the process.
Phishing attacks are most often delivered in the form of emails, so be very careful of any email that invites you to act, or that rushes you to click on a link or download a file.
Check domain names and email addresses, such as delete @ google instead of supporting @ google, because it is a big indicator that something may not be fair.
We have made a complete guide on how to spot a phishing email for all those who want to make sure they are wise of Scammer tips.
