The Security Flaw in guide with interview and salary negotiation: Lessons Learned

The Security Flaw in the Interview & Salary Negotiation Guide: Lessons Learned

In early 2024, a popular career resource platform CareerCompass faced a major security incident when a critical flaw in its flagship "Mastering Interviews & Salary Negotiation" guide exposed sensitive data for over 10,000 users and 200+ partner employers. The guide, downloaded more than 150,000 times since its 2022 launch, promised to help job seekers ace interviews and secure fair pay—but a misconfigured cloud storage bucket left hidden datasets accessible to anyone with the right URL.

What Went Wrong?

The guide’s public-facing website hosted a download link to a PDF version of the resource, but the underlying AWS S3 bucket storing draft files, user survey data, and partner-provided salary bands was set to public read access by mistake during a 2023 infrastructure update. Security researcher Alex Chen discovered the flaw while testing a tool to scan for exposed cloud storage, finding a CSV file named salary_bands_2024.csv that listed internal pay ranges for roles at partner companies, alongside a user_signups.csv with emails, LinkedIn profiles, and self-reported salary expectations of guide downloaders.

Interview with the Researcher Who Found the Flaw

We sat down with Alex Chen, the independent security researcher who reported the flaw to CareerCompass in January 2024:

"I was running a routine scan of public S3 buckets for a client when I stumbled on a bucket named 'careercompass-guide-drafts'. It took less than 10 minutes to find the exposed CSV files—there was no authentication, no access logging, nothing. The salary data was especially concerning because it included non-public pay bands for entry-level to executive roles, which could be used to exploit candidates during negotiations or enable pay discrimination."

— Alex Chen, Security Researcher

Chen reported the flaw via CareerCompass’s generic support email, waiting 14 days for a response before publicly disclosing the issue to pressure a fix. The bucket was secured within 48 hours of public disclosure, but CareerCompass later admitted that unknown third parties had accessed the data 3 times in the 6 months prior to Chen’s report.

Impact on Interview and Salary Negotiation Processes

The exposed salary bands were particularly damaging for partner employers, many of whom had shared the data under non-disclosure agreements expecting it to be used only for guide content. For job seekers, the leaked email list raised risks of phishing attacks, while the self-reported salary expectations could be used to lowball candidates during negotiations if accessed by bad actors.

"We had candidates reach out saying they were offered salaries below the exposed internal bands for their roles, because recruiters had accessed the leaked data and used it to anchor negotiations lower," said Priya Patel, Chief People Officer at a tech partner of CareerCompass. "It undermined years of work to build fair pay practices."

Key Lessons Learned

The incident offers critical takeaways for any organization publishing career resources, hosting user data, or handling sensitive salary information:

1. Secure cloud storage by default: Always set S3 buckets and other cloud storage to private by default, and implement automated scans to detect public access misconfigurations. CareerCompass now uses AWS Macie to monitor for exposed sensitive data.
2. Audit third-party content for hidden data: The exposed CSV files were remnants of draft guide content that were never meant to be public. Regular content audits can catch leftover files, hidden metadata, or embedded sensitive data in public resources.
3. Implement a vulnerability disclosure program (VDP): CareerCompass had no clear way for security researchers to report flaws, leading to delayed remediation. A VDP with a dedicated security contact and safe harbor policy ensures flaws are reported privately first.
4. Notify affected parties promptly: CareerCompass waited 21 days after fixing the flaw to notify users and partners, violating GDPR and CCPA requirements. Prompt notification reduces harm and maintains trust.
5. Separate public guide content from internal data: Salary bands and user data should never be stored in the same infrastructure as public-facing guide downloads. Use air-gapped systems or strict access controls to keep sensitive data separate.

Moving Forward

CareerCompass has since relaunched the guide with all sensitive data removed, and now publishes only anonymized, aggregated salary data. For job seekers, the incident is a reminder to verify the security of any resource that collects personal data, and to never share sensitive salary information with untrusted third parties. For employers, it highlights the risks of sharing internal pay data with external partners without strict security safeguards.

As Chen notes: "Security flaws in career resources don’t just put data at risk—they can directly impact people’s livelihoods by skewing interview and salary negotiation outcomes. It’s a responsibility for all of us to get this right."