Measuring Real-World Prompt Injection Attacks in LLM-based Resume Screening

Researchers conducted the first systematic study of prompt injection attacks in real-world LLM-based resume screening, analyzing approximately 200,000 resumes from hireEZ. They found that ~1% of resumes contain hidden prompt injections, with prevalence increasing significantly over the past 1-2 years, and discovered that over 90% of injected prompts use subtle methods rather than explicit instructions.

This research marks a critical pivot from theoretical vulnerability demonstrations to empirical evidence of widespread prompt injection exploitation in production AI systems. The study's scale—analyzing 200,000 real resumes—provides concrete data that attackers are actively weaponizing LLM weaknesses in hiring workflows, a high-stakes application where resume content directly influences hiring decisions.

Prompt injection vulnerabilities have been understood by security researchers since LLMs gained mainstream adoption, but the gap between academic warnings and real-world prevalence remained unmeasured. This work bridges that gap by revealing that approximately 1 in 100 resumes now contain adversarial prompts designed to manipulate screening systems. The temporal trend showing increased injection prevalence over recent years suggests either growing attacker sophistication or increasing awareness of the technique's effectiveness.

The discovery that 90% of injected prompts avoid explicit instructions is particularly significant. Rather than crude attempts to override system instructions with clear directives, attackers are employing subtle manipulation tactics—likely semantic attacks that blend naturally with resume content while steering model outputs. This indicates an arms race where attackers are outpacing detection capabilities.

For the AI industry, this research exposes a critical security gap in deployment practices. Resume screening represents billions in hiring decisions annually across enterprise customers; compromised screening creates liability and reputational risk. For LLM vendors and enterprises, the findings demand urgent attention to prompt injection defenses in production systems. The high precision of the custom detectors suggests that domain-specific detection remains viable, but widespread adoption depends on security prioritization and resource allocation. Expect accelerated investment in prompt injection defenses and evaluation frameworks specifically for hiring AI systems.

• →Approximately 1% of resumes in a 200K dataset contain hidden prompt injections targeting LLM-based screening systems
• →Prompt injection prevalence in resumes has increased noticeably over the past 1-2 years, indicating growing real-world exploitation
• →Over 90% of detected injected prompts use subtle methods rather than explicit instructions, revealing sophisticated attack evolution
• →Custom detectors tailored to resume-specific injection patterns outperformed general-purpose detection systems with high precision
• →This is the first large-scale empirical evidence of prompt injection attacks in production LLM applications, shifting the issue from theoretical to urgent