Filipino Virtual Assistant Training Platform Exposes Over 25,000 Résumés
What if your résumé — listing your name, education, work history, and professional skills could be found online by anyone without your knowledge? What if it had been there for years, quietly indexed and potentially downloaded thousands of times?
These questions emerged after our team accidentally uncovered a publicly accessible website hosting thousands of Virtual Assistant (VA) résumés. The platform, designed to help ProVA trainees create and share their credentials with potential employers, contained over 25,000 résumés and CVs openly available for viewing and download with no login or authorization required.
The finding came when our Breach Monitoring Team encountered the site while pursuing an unrelated lead. At first glance, it appeared to be a standard training resource. Upon closer examination, the team found a structured directory of résumés, each published as an individual online portfolio.
https://iili.io/FtiG3Cl.png
https://iili.io/FtiGdQ4.png
The pages followed a uniform layout, featuring sections for professional experience, education, certifications, and detailed job responsibilities similar to the format in the reference of a typical format of resumes. These included timelines of past roles, specific achievements, and academic records, presented in a style intended for recruiters but inadvertently accessible to the wider public.
Because the site lacked authentication requirements, any visitor could access a résumé directly through its link. DWK confirmed that with minimal effort, thousands of profiles could be downloaded individually or in bulk. This unrestricted access was originally meant to simplify employer viewing but effectively allowed anyone including automated bots, to collect the information.
While the platform’s purpose was to promote VA trainees, the absence of access controls meant résumés could be indexed by search engines or harvested by data scrapers, potentially reaching audiences far beyond its intended scope.
Résumés often contain detailed career timelines, names of organizations, academic institutions, and in some cases, contact information. Such data holds value not only for legitimate recruiters but also for scammers and cybercriminals, who could use it for targeted phishing, impersonation in job scams, or identity fraud.
Unlike passwords, which can be reset, professional and educational histories are permanent. Once such information is copied or stored elsewhere, it cannot be fully recalled, leaving individuals vulnerable even after the original source is secured.
DWK has contacted the website’s administrator and owner to formally raise these concerns. Job seekers are reminded to limit the personal details they include in publicly viewable résumés, avoiding sensitive identifiers such as full addresses or personal phone numbers. Always verify the privacy settings of any online platform before uploading professional documents.
