In a recent cybersecurity report, CyberX9 flagged several vulnerabilities within the HR tech platform Darwinbox, which could expose sensitive data of both employees and job applicants. Despite the report’s alarming findings, Darwinbox has strongly denied any breach on its platform, attributing the issue to client-side credential theft and leaks from the dark web.

🔍 CyberX9’s Findings: Vulnerabilities and Data Exposure

The cybersecurity firm discovered multiple vulnerabilities that could potentially expose critical Personal Identification Information (PII) of employees working at client organizations using Darwinbox’s HR application. The exposed data reportedly includes full names, phone numbers, email addresses, job titles, locations, photos, and even resumes of job applicants.

CyberX9 revealed that an endpoint within the Darwinbox system allowed unauthorized access to sensitive data by exploiting employee IDs, which are sequentially assigned within the platform. The company also found that leaked credentials from a Typeform account—created by Darwinbox’s career team—were linked to a prior breach on the Typeform platform in 2024. This led to the exposure of resumes and sensitive personal information from applicants.

⚠️ Darwinbox’s Response: Denial of Breach and Client-Side Issues

In response to the vulnerabilities flagged by CyberX9, Darwinbox has issued a firm denial, stating that the issue did not stem from any breach within its platform. Instead, the company attributes the data leak to credential theft occurring on the client side, due to prior leaks on forums like BreachForums and potential malware infections on users’ personal devices.

Darwinbox confirmed that their systems remain secure, and no unauthorized access or compromise of infrastructure occurred on their end. The company also emphasized that the data endpoint vulnerability mentioned in the report only affects users within their organization and that they have implemented fixes to address the issues raised.

💬 Statement from CyberX9

Himanshu Pathak, founder and MD of CyberX9, questioned the security practices of Darwinbox, specifically regarding the failure to change leaked credentials. He asked, “If Darwinbox knew about these leaked credentials, why didn’t they take action to protect their users’ sensitive data?”

Despite these concerns, CyberX9 acknowledged that Darwinbox had worked to implement fixes for the vulnerabilities. However, the firm raised concerns about whether Darwinbox’s response was adequate and whether the platform had been fully transparent in addressing the potential risks.

🔐 What’s Next for Darwinbox and Cybersecurity in HR Tech?

In a broader context, this incident highlights ongoing concerns in the HR tech industry about securing sensitive employee and applicant data. As companies increasingly adopt digital HR platforms like Darwinbox, ensuring robust cybersecurity practices is more critical than ever. Although Darwinbox has stated that it has implemented necessary fixes, the cybersecurity community will continue to watch closely as further investigations and audits unfold.

As a precautionary measure, CyberX9 has recommended enhanced security measures for organizations using Darwinbox, including limiting API requests and further strengthening security protocols at the client level to avoid such breaches in the future.

The case also highlights the importance of constant vigilance against client-side vulnerabilities, as attackers often target individual users through methods such as malware or phishing. As the HR tech landscape grows, maintaining robust data protection strategies will be essential to ensuring both organizational and customer trust.

Stay tuned as we continue to monitor updates on this ongoing security issue.

“The user’s login credentials were exposed through prior leaks publicly available on BreachForums, likely due to malware infections on users’ personal devices. Our investigation into the said report confirms that Darwinbox’s systems remain secure and safe. No unauthorised access or infrastructure compromise has occurred on Darwinbox’s side,” the company said.

In its communication to CyberX9, the HR tech firm has also stated that the end data point vulnerability highlighted in the report is limited to users operating within their organisation and agreed that enhancing rate limits (layers of information that an employee can access) can further enhance protection against the risk.