Security researcher Eaton disclosed two critical vulnerabilities in Johnson and Johnson web applications that exposed sensitive employee and student data. The first flaw existed in a campus recruiting platform used to manage college hiring events, where nearly 1,000 students had their information accessible through improperly secured endpoints.

The Campus Recruiting site relied on a hardcoded API key instead of validating Microsoft Authentication Library tokens, allowing anyone to access private recruiter routes. Researchers could view student submissions, ratings, and interview notes without proper credentials, bypassing the Microsoft SSO login page entirely.

The second vulnerability affected an internal Audit Tracking Management System used across 20 Johnson and Johnson companies. By manipulating client-side code and spoofing administrator credentials stored in local storage, the researcher gained full administrative access to confidential audit records and meeting transcripts. The system contained 13.6k employee records and sensitive documentation.

Johnson and Johnson patched the campus recruiting issue within 25 days but ignored the ATMS vulnerability for months despite repeated follow-ups. Only after journalist intervention in April 2026 did they finally address the internal audit system breach, raising questions about their vulnerability response process changes since 2024.