NEOM Job Portal 280,000 Applicants' Data Exposed in Recruitment Breach

• .What: 280,000 NEOM job applicant records sold on BreachForums.
• .Who: Job applicants to Saudi Arabia's $500B mega-project from dozens of countries.
• .Data Exposed: Names, emails, phone numbers, and bcrypt password hashes.
• .Outcome: Prior credential leaks since 2023 went unremediated; PDPL applies.

On January 23, 2025, threat intelligence firm DarkEye identified a listing on BreachForums offering 280,000 job applicant records from NEOM's recruitment portal.

The dataset was sold through BF Escrow - BreachForums' built-in escrow service that provides buyer protection and indicates seller confidence in data quality and freshness.

The same dataset was cross-posted on the XSS forum, a Russian-language cybercrime marketplace, broadening the buyer pool to the Russian-speaking threat actor ecosystem.

The records belonged to professionals who had applied for positions at NEOM, Saudi Arabia's $500 billion flagship mega-project encompassing THE LINE, Trojena, Oxagon, and Sindalah.

The applicant pool comprised engineers, architects, project managers, and executives from dozens of countries who submitted personal information through NEOM's public-facing recruitment portal.

The exposed data included full names, email addresses (both personal and corporate, many tied to current employers), phone numbers, and bcrypt-hashed passwords.

While bcrypt hashing provides meaningful resistance to offline cracking, the passwords remain exploitable through credential stuffing attacks against other platforms where applicants reused passwords.

NEOM's recruitment infrastructure had shown signs of weakness long before this breach.

Credential leaks associated with NEOM systems were identified as early as 2023, yet the underlying security weaknesses in the public-facing recruitment portal persisted unremediated through 2024 and into 2025. The failure to address known credential exposures over a two-year period enabled the conditions for this larger extraction.

The specific attack vector - whether SQL injection, API abuse, credential compromise of an administrative account, or exploitation of a web application vulnerability - has not been publicly disclosed by NEOM. NEOM issued no public acknowledgment of the breach.

• .Full names of 280,000 job applicants representing professionals from dozens of countries
• .Email addresses--both personal and corporate--many tied to current employers
• .Phone numbers enabling direct contact by threat actors for phishing
• .Bcrypt password hashes presenting credential reuse risk

The 280,000 applicants represent a curated pool of skilled professionals: engineers, architects, project managers, and executives who believed their personal information was being handled by an organization operating at the frontier of innovation.

The use of BF Escrow indicates seller confidence in data quality. Cross-posting on the XSS forum broadened the buyer pool to the Russian-speaking cybercrime ecosystem.

This breach falls under active PDPL enforcement (commenced September 14, 2024). NEOM is subject to the full scope of PDPL requirements. The international dimension raises possibility of parallel regulatory exposure under GDPR, CCPA, and other frameworks.

Article 19 requires notification to SDAIA within 72 hours. Article 14 mandates appropriate technical and organizational security measures. The existence of known credential leaks since 2023 without remediation would be viewed as an aggravating factor.

A recruitment portal for a $500 billion mega-project exposed 280,000 applicant records to cybercriminal marketplaces.

The data had been accumulating since NEOM began accepting applications, and credential leaks dating to 2023 signaled that the portal's security posture was insufficient. The breach was not a sophisticated attack against a hardened target.

It was the predictable consequence of leaving known vulnerabilities unremediated on a public-facing web application that collected personal data from professionals across dozens of countries.

Every control below addresses a specific failure in the chain from initial weakness to full data exposure.

The persistence of credential leaks since 2023 without remediation is the foundational failure.

Credential monitoring services - SpyCloud, Flare, Hudson Rock, or Have I Been Pwned's domain search - detect when credentials associated with an organization's domains appear in dark web marketplaces, infostealer logs, or breach compilations.

When NEOM recruitment portal credentials surfaced in 2023, the response should have been immediate: forced password resets for all affected accounts, investigation of the source of the credential leak, and a security assessment of the recruitment portal itself.

The difference between acting on a 2023 credential leak signal and ignoring it was two years of continued exposure culminating in 280,000 records on BreachForums.

The recruitment portal collected personal data from hundreds of thousands of international professionals and stored it in a database accessible through a public-facing web application.

Web applications handling this volume of personal data require continuous security assessment: annual penetration testing at minimum, supplemented by automated Dynamic Application Security Testing (DAST) tools such as Burp Suite Enterprise, OWASP ZAP, or Qualys WAS running on a weekly schedule.

API security testing must cover every endpoint that accepts or returns personal data. Input validation, parameterized queries to prevent SQL injection, and rate limiting on data retrieval endpoints are baseline controls.

The web application should have been assessed and hardened after the 2023 credential leaks were identified - the fact that 280,000 records were extractable two years later indicates that no meaningful security assessment occurred.

The exposed bcrypt password hashes, while computationally resistant to brute-force cracking, present a credential reuse risk that extends far beyond the NEOM portal.

The 280,000 applicants used email addresses - many corporate - and passwords that they likely reuse across other platforms. Affected individuals must be notified and advised to change passwords on every service where they used the same email-password combination.

The recruitment portal should enforce multi-factor authentication for applicant accounts, require minimum password length and complexity standards, and implement breach password detection using the Have I Been Pwned Passwords API to reject passwords that have appeared in prior breaches.

For a portal processing data from international professionals - many of whom hold security clearances or work in sensitive industries - password-only authentication is insufficient.

The international composition of the applicant pool creates regulatory exposure across multiple jurisdictions simultaneously. Applicants from EU member states trigger GDPR obligations including 72-hour breach notification to supervisory authorities.

Applicants from California trigger CCPA notification requirements. Applicants from the UK trigger UK GDPR obligations. NEOM, as the data controller, is required under the Saudi PDPL Article 19 to notify SDAIA within 72 hours.

The absence of any public acknowledgment suggests that notification obligations may not have been met in any jurisdiction.

Organizations processing personal data from international applicant pools must maintain a breach notification decision matrix that maps affected data types to applicable jurisdictions and triggers parallel notifications within the shortest applicable deadline.

DarkEye (@DarkEyeIntel), PKWARE Data Breaches Report, Saudi PDPL (Royal Decree M/19)