Summary
On June 30, two security researchers reached out to the Paradox team about a vulnerability on our system. We promptly investigated the issue and resolved it within a few hours of being notified.
- Importantly, at no point was candidate information leaked online or made publicly available.
- Five candidates in total had information viewed because of this incident, and it was ONLY viewed by the security researchers.
- This incident impacted one organization – no other Paradox clients were impacted.
While the issue has been remediated, we feel strongly that it’s important we provide our clients with more information. We’re in both the people business and the software business, which means that maintaining trust with our clients and their candidates isn’t optional; it’s foundational. Below, we’ll walk through what the researchers found, what data was involved, and what we’ve done to remediate the issue.
What Happened
Using a legacy password, the researchers logged into a Paradox test account related to a single Paradox client instance. We’ve updated our password security standards since the account was created, but this test account’s password was never updated. Once logged into the test account, the researchers identified an API endpoint vulnerability that allowed them to access information related to chat interactions in the affected client instance. Unfortunately, none of our penetration tests previously identified the issue. The majority of the chat interaction records were not tied to a candidate in the system and did not include candidate personal information. However, to validate their findings, the researchers pulled down seven chat interaction records, five of which were for U.S.-based candidates that included names, email addresses, phone numbers and IP addresses. The other two chat interaction records did not include any candidate personal information. Again, once we learned of this issue, the test account credentials were immediately revoked and an endpoint patch was deployed, resolving the issue within a few hours.
What Did Not Happen
First and foremost, we want to emphasize that this incident impacted one Paradox client instance. We have been in frequent communication with the affected organization, and our other client instances were not impacted. Second, we are confident that, based on our records, this test account was not accessed by any third party other than the security researchers. It had not been logged into since 2019 and frankly, should have been decommissioned. Lastly, no sensitive personal information, such as Social Security numbers, was exposed. Those data fields remained protected in the system. We want to be very clear that while the researchers may have briefly had access to the system containing all chat interactions (NOT job applications), they only viewed and downloaded five chats in total that had candidate information within. Again, at no point was any data leaked online or made public.
Going Forward
Both the legacy password and the API endpoint vulnerability have been addressed. Additionally, we are launching several new security initiatives including providing an easy way to contact our security team (security@paradox.ai) on our website and a bug bounty program. We take responsibility for this issue. Full stop. Our clients and their candidates place their trust in us, and we are committed to maintaining that trust. We also want to thank the researchers for responsibly disclosing the issue, which allowed us to fix it quickly.
