UPDATE: Nikki Richardson, VP Corporate Communications at Monster Worldwide has replied to our e-mail saying that the company is in the process of contacting users but can not disclose specific details of the breach right now. If you’re interested in reading the entire communication, please scroll down to the end of the post.
Popular online job site Monster.com acknowledged a security breach of its user database Friday and is recommending users immediately change passwords and be on the lookout for phishing e-mails. The compromise is the second in two years for Monster.com and involved the loss of user log-in details, passwords, email addresses, names, and telephone numbers.
This breach also affected Monster.com’s client, USAJOBS, the official job site of the US government.
Drive by Downloads and Trojans at Monster.com in 2007
In August 2007, virus writers set their sights on Monster.com using a Trojan in advertisements on the site as a means of installing malicious software on visitors’ machines. While some ads required a visitor to click on the ads, others merely needed a visitor to land on the page hosting the ad.
Symantec, who had been monitoring and analyzing the attack said that the Trojan stole sensitive data and relayed the information to a remote server controlled by the attackers. When Symantec accessed the remote server, it found over 1.6 million entries containing personal information belonging to several hundred thousand people.
Interesting to note was that the data was accessed from specific domains set aside for recruiters and HR personnel – the “Monster for employers” site. “Upon further investigation, the Trojan appears to be using the (probably stolen) credentials of a number of recruiters to login to the Web site and perform searches for resumes of candidates located in certain countries or working in certain fields,” Symantec wrote in their forums.
Information Security at Monster.com
Monster.com has provided little information about this latest breach, not disclosing number of accounts compromised or information as to whether it was an internal or external security breach, but this could be standard procedure given the company is still in the process of investigating and determining the extent of the damage.
However, what is interesting to note that the company has decided not to e-mail users according to a report in The Register, meaning users will only learn about it by visiting the Monster.com site and clicking on the ‘important security information’ link, or reading about it on other sites.
Additionally, the issue of storing user information particularly passwords in unencrypted format is disturbing, especially for a company that has had first hand experience with information security breaches and has had two years to firm up its security policies.
Between large corporations leaving data exposed with insufficient security measures, and un-savvy tech users using same password/user accounts across the board, theft of personal information has become a money maker for the bad guys who can use it for all sorts of nasty things; at worst, identity theft, at best, the horror spam attacks.
We have contacted Monster.com for a comment, but officials could not be reached. We will update this post in the event we hear back from them.
Update: Monster Worldwide replies to our questions
RWW: How many user accounts have been compromised?
MW: To be prudent, we are notifying all of our job seekers and customers.
RWW: Will Monster be contacting users?
MW: Monster elected not to send e-mail notifications to avoid the risk that those e-mails would be used as a template for phishing e-mails targeting our job seekers and customers. Monster believes that the combination of on-site notification and password changes is the most effective way to address the situation.
RWW: Is it an internal or external breach?
MW: While Monster is sharing the information necessary to assist and protect our job seekers and customers, we cannot disclose specific details of the situation because we need to protect the integrity of our security systems and our ongoing inquiry into the situation.
RWW: Why are passwords not encrypted, or if they are, how are they compromised?
MW: We don’t comment on specific security measures.