A threat actor claims to have breached AI recruitment platform Suitable AI by exploiting multiple GraphQL vulnerabilities, allegedly exposing applicant records, resumes, and recruitment data belonging to more than 15,000 users.
GraphQL vulnerabilities allegedly enabled account access
According to a forum post published on July 13, the threat actor claims Suitable AI’s GraphQL implementation contained authentication and authorization weaknesses that allowed unauthorized access to applicant information.
The actor alleges they discovered an authentication bypass that allowed them to obtain valid user sessions without completing normal authentication checks. They further claim another GraphQL endpoint could be queried without authentication to retrieve applicant information when a user identifier was known.
15,176 applicant records reportedly obtained
The threat actor claims to have extracted data belonging to 15,176 applicants despite alleging the platform contained more than 53,000 user accounts.
According to the post, the allegedly compromised records include applicant names, email addresses, phone numbers, recruitment status, AI-generated ratings, recruiter workflow information, referral data, rejection details, and links to uploaded resumes.
The actor also claims portions of recruiter-facing application metadata were exposed, including candidate experience, expected salary, notice periods, location details, LinkedIn profile URLs, and other information submitted during the hiring process.
No evidence has been presented indicating that payment information or passwords were included in the alleged dataset.
Applicant resumes could increase exposure
If confirmed, the alleged exposure could present elevated privacy risks because uploaded resumes frequently contain additional personal information beyond basic contact details. Depending on what individual applicants included in their resumes, affected records could contain employment histories, education information, certifications, addresses, and other personally identifiable information.
Second AI platform targeted by same threat actor
The alleged breach follows another recent claim involving an AI platform. Earlier this month, BreachNews reported on the alleged EcoGPT data exposure, where the same threat actor claimed an unauthenticated Supabase database exposed shared conversation records. While the reported attack methods differ, both incidents involve alleged application-level security weaknesses rather than traditional network intrusions.
Threat actors increasingly appear to be targeting AI platforms that process large volumes of user-submitted information, particularly services handling resumes, prompts, conversations, and other sensitive personal data.
BreachNews contacted Suitable AI for comment prior to publication. The company had not responded at the time of publication.












