A cybersecurity researcher uncovered two authentication flaws in Johnson & Johnson web applications that exposed sensitive recruiter tools, employee records, and an internal audit management system.
Both vulnerabilities stemmed from improper backend authentication, allowing attackers to bypass Microsoft SSO by manipulating client-side code because the servers failed to verify user identity.
The flaws exposed highly sensitive data, including information on nearly 1,000 student applicants, approximately 13,600 employee records, and confidential audit data across about 20 J&J business units.
The researcher responsibly disclosed the vulnerabilities in October 2025, but while the recruiting platform was fixed quickly, the critical audit system remained vulnerable for six months until media involvement prompted remediation.
Frontier Airlines API Exposes Passport, Credit Card, and Personal Data via Boarding Pass Information
NVIDIA Confirms GeForce Data Breach Exposed Users’ Personal Data