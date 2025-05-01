New Delhi, May 1 (PTI) A cybersecurity research firm has found vulnerabilities in HR tech start-up Darwinbox that could potentially expose employee data belonging to the company and its clients.

However, Darwinbox has denied that the breach originated from its platform, attributing the issue instead to credential theft on the client side and data leaks on the dark web.

Backed by marquee investors such as KKR, Peak XV, and Lightspeed India, Darwinbox includes several major firms among its clients, including companies from the Bharti Group, Adani Group, Tata Group, Yashoda Hospitals, TVS, and JSW.

CyberX9, in its report on Tuesday, said it has discovered vulnerabilities that could have been exploited to expose complete confidential Personal Identification Information (PII) of all employees of companies using Darwinbox, as well as the PII and resumes of job applicants on the platform.

"The information exposed includes but is not limited to, details of employees of Darwinbox clients like employees' full name, employees' phone number and email address, employees' detailed designation and location, employees photos, details of job applicants who applied for a job on Darwinbox and their resumes," CyberX9 report said.

The report claimed that two vulnerabilities in the Darwinbox HR application could potentially allow access to the sensitive data of all employees using the platform. However, Darwinbox has refuted the claim.

CyberX9 said that a data endpoint on Darwinbox takes only one value which is data_id which is the employee ID in the application of respective companies employees in a sequential manner in the range of 000000-999999. Using these values in the data endpoint gives a lot of personal and sensitive data of employees.

The cyber security firm also found a leaked credential of an old Darwinbox account opened on an application Typeform---a platform that suffered a data breach in 2024.

"Leaked credentials of Darwinbox career team's Typeform account leading to the expose of sensitive personal information including resumes of people who applied for a job on Darwinbox," CyberX9 said.

The cyber security firm questioned IT security practices on Darwinbox.

"If Darwinbox knew about these leaked credentials then why didn't they change them to protect the sensitive customers' data, or they meant to intentionally leak the data?" CyberX9 Founder and MD Himanshu Pathak asked.

CyberX9 said that the details of vulnerabilities were shared with Darwinbox before the report was released and the HR tech firm acknowledged that the security research firm's efforts contributed "meaningfully to strengthening the security posture of our platform".

Pathak claimed that the HR tech platform acknowledged implementing fixes for the vulnerabilities reported by CyberX9 in Darwinbox's system. However, when contacted, Darwinbox stated that in response to CyberX9's recent claims, it conducted a thorough internal investigation and confirmed that the breach highlighted in the report did not originate from its platform.

Talking about the first vulnerability that could expose employee data of firms using its platform, Darwinbox said that the incident described in the report is not a security vulnerability or breach within the Darwinbox system, "rather it is a case of user credential theft at the client's side." "The user's login credentials were exposed through prior leaks publicly available on BreachForums, likely due to malware infections on users' personal devices. Our investigation into the said report confirms that Darwinbox's systems remain secure and safe. No unauthorised access or infrastructure compromise has occurred on Darwinbox's side," the company said.

In its communication to CyberX9, the HR tech firm has also stated that the end data point vulnerability highlighted in the report is limited to users operating within their organisation and agreed that enhancing rate limits (layers of information that an employee can access) can further enhance protection against the risk. PTI PRS DR