A server storing an unknown number of résumés and CVs has been leaking private data for years. Affected sites include the massive catch-all job seeker platform, with data having been exposed from at least 2014 through 2017.

TechCrunch first reported on this issue, and says “It’s not known exactly how many files were exposed, but thousands of résumés were found in a single folder dated May 2017.” Though Monster was affected, its Chief Privacy Officer Michael Jones says the company didn’t own the server. Jones claims the server was owned by a recruitment company, which they refuse to name, saying they are “not in a position” to do so.

Monster also offered the following:

Customers that purchase access to Monster’s data – candidate résumés and CVs – become the owners of the data and are responsible for maintaining its security. Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer’s database.

Monster also claims after the unsecured server was reported to it, the company responsible was notified, and the server was secured in late August.

Curiously, this server seemed to house a lot more than your average résumé. The report says it also housed immigration documents for work, which Monster doesn’t collect.

This is troubling for a variety of reasons. First, we have no idea how widespread this data leak is. One file containing “thousands” of résumés and CVs is jarring – even more so because we don’t know if it’s one of many. Monster wasn’t clear about how much data an outside company can purchase access to: did it scrape Monster’s entire database? Is that even possible?

If this single file with thousands of résumés was itself on of thousands of files, this leak could be intense. We give up a lot of personal information on résumés. Worse than a server being left unsecured is not knowing who had access to it; TechCrunch says the server was “found online,” but didn’t note how it was able to discover the server.

Like all data breaches, assume your use of the service means you’ve been compromised.