- A major Indian job site was leaking recruiter emails
- The problem stemmed from a bug in the Naukri API
- The hole was quickly plugged, but users should be aware of scams
One of the most popular and widely used job portals in India has reportedly been found leaking recruiter email addresses.
A security researcher named Lohith Gowda recently discovered a vulnerability in Naukri’s API for Android and iOS apps, which exposed the recruiters’ email addresses when they were viewing profiles of potential candidates.
Speaking to TechCrunch, Gowda explained what the dangers of this vulnerability were: “The exposed recruiter email IDs can be used for targeted phishing attacks, and recruiters may receive excessive unsolicited emails and spam."
2FA codes and session tokens
Gowda further stressed that the email IDs can be added to different spam lists and public breach databases, which are sometimes picked up by scraping bots. This, in turn, can lead to automated bot abuse and various scams.
Relevancy and a sense of urgency are key to a successful phishing email.
An attacker might reference an ongoing hiring campaign, a candidate's resume, or a job platform the recruiter uses, to make the email feel timely and legitimate.
Urgency, on the other hand, is how threat actors force the victims into making rash decisions that they later regret.
In this case, these could be claims of a top candidate being about to accept another offer or interview access links that are expiring.
After discovering the flaw, Gowda reached out to Naukri, who then plugged the leak. “All identified enhancements are implemented, ensuring our systems remain updated and resilient,” Alok Vij, IT infrastructure head at Naukri’s parent company InfoEdge, confirmed to TechCrunch. “Our teams have not detected any usual activity that affects the integrity of user data.”
Naukri.com is one of the most popular Indian job sites. According to SimilarWeb, it had more than 28 million unique monthly visits in April 2025, and ranks as the number one job and employment website in the country.
You might also like
- Login and password details for Apple, Google and Meta accounts found in huge data breach of 184 million accounts
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
