Homerun was recently the victim of a cyberattack which caused data of our customers (that were using Homerun to publish job posts and manage job applications) to be exposed to a cyber attacker. This data included files with candidate information that candidates have shared in their job applications.

Since the attack, we fixed the vulnerability in 48 hours alongside an external cybersecurity company, Northwave, so the cyber attacker no longer has access to the data. We've also gone to great lengths to ensure that the stolen data was not made public. We've reached an agreement with the cyber attacker, so we also do not expect this to happen. Northwave has never experienced data being made public in comparable cases after an agreement has been made.

We've informed all our customers who have been affected by this attack and our team has been working around the clock doing everything in our power to do right by all customers and candidates whose data may have been affected.

This is why we're sharing more detailed information about the cyberattack for anyone else who is concerned about what this might mean for them. We hope this provides you with clarity and reassurance about what's happened.

• What happened
• How we followed up
• Moving forward
• Frequently Asked Questions

What happened

• A cyber attacker accessed our systems on October 20th and made a copy of a number of files from our data storage. They were unable to delete or alter the data due to security measures we had in place. They simply copied it.
• We host our infrastructure on Amazon Web Services. Part of this infrastructure includes running web servers using a popular software package called Apache HTTP Server. At the moment of the incident, a vulnerability existed in that particular software (CVE-2021-40438) that allowed an attacker to access internal AWS metadata and steal access tokens. Those tokens were used later on to access our data storage which contains the personal data.
• We discovered the attack on the 26th and immediately engaged external cybersecurity company Northwave. Alongside them, we were able to find and fix the vulnerability on the 28th so the cyber attacker could no longer access the data storage.
• After that, we reached an agreement with the cyber attacker. They confirmed that all copied data has not been made public and has been destroyed. There's no indication that the affected data has been made public and we also do not expect this to happen. The cyber security experts from Northwave have never experienced data being made public in comparable cases after an agreement has been made.
• We contacted customers who were affected on October 29th, informing them of the cyber attack.

How we followed up

• We completed a comprehensive forensic investigation alongside Northwave. This provided us with more details about the attack, the data that was affected and the measures we are implementing to keep this from happening in the future.
• We've been in touch with the DPA (Dutch Data Protection Authority - Autoriteit Persoonsgegevens) and notified them about the cyberattack and the impacted data of our own candidates.
• Our customers may also notify the DPA about the affected data for which they are responsible and contact their own candidates.
• We've also filed a complaint with the police.

Moving forward

• For anyone whose data has been affected in the attack, it's important to know that the data has not been made public and we also do not expect this to happen, as we reached an agreement with the cyber attacker.
• Of course, it's always good practice to be careful when receiving unusual emails and text messages as these could be phishing attempts. However, we have no reason to believe that this cyberattack will lead to phishing attempts being targeted at anyone whose data was affected.
• We founded Homerun 7 years ago because we wanted to improve the experience for candidates applying to jobs. A part of this has been making it easy for small companies to handle their candidate's data with care. We've always committed ourselves to privacy best practices. However, following this cyberattack, we see an opportunity to take an even more radical standpoint in this by embedding more privacy principles (for example, more opt-out and fewer opt-in privacy settings) and giving more control to job applicants over their data.

Frequently Asked Questions

‍

How did this happen?

Regrettably, it happens quite often in the tech world that tech companies become targets of cyber attackers. Please know, that we have an experienced and capable team that has done a lot to make Homerun a secure platform. However, it’s almost impossible to be 100% secure. Cyber attackers are extremely smart and in our case they abused a vulnerability in Apache HTTP Server software.

How do I know if I've been affected by this?

We've informed all our customers who have been affected by this. All the candidates that were present in our customer's accounts and that applied before the 20th of October may have been affected in this cyber attack.

Was the affected data made public?

No, the affected data has not been made public, as we reached an agreement with the cyber attacker. In the investigation Northwave ascertained that all copied data has been destroyed and there's no indication it was ever made public. It is not possible to determine this with 100% certainty, however Northwave has never experienced data being made public in comparable cases after an agreement has been made.

I've been informed that my data has been affected by this cyberattack. I have questions about my data.

It's best to reach out to the company that you applied to. We've informed all our customers and they have all the information about the incident.

What measures have been put in place to fix this issue?

Upon discovery, we immediately fixed the vulnerability by upgrading Apache HTTP Server software on all running servers. Northwave has checked and confirmed that this fix is effective against similar attacks.

Should I be worried if I've been informed that my job application data has been affected in this cyberattack?

There's no reason to believe that this cyberattack will lead to phishing attempts being targeted at anyone whose data was affected. Of course, it's always good practice to be careful when receiving unusual emails and text messages as these could be phishing attempts. Nonetheless, Northwave continuously monitors leak sites. They will report back to us if any suspicious activity is detected.