Home Monster.com Loses User Data Again

Monster.com Loses User Data Again

UPDATE: Nikki Richardson, VP Corporate Communications at Monster Worldwide has replied to our e-mail saying that the company is in the process of contacting users but can not disclose specific details of the breach right now. If you’re interested in reading the entire communication, please scroll down to the end of the post.

Popular online job site Monster.com acknowledged a security breach of its user database Friday and is recommending users immediately change passwords and be on the lookout for phishing e-mails. The compromise is the second in two years for Monster.com and involved the loss of user log-in details, passwords, email addresses, names, and telephone numbers.

This breach also affected Monster.com’s client, USAJOBS, the official job site of the US government.

Drive by Downloads and Trojans at Monster.com in 2007

In August 2007, virus writers set their sights on Monster.com using a Trojan in advertisements on the site as a means of installing malicious software on visitors’ machines. While some ads required a visitor to click on the ads, others merely needed a visitor to land on the page hosting the ad.

Symantec, who had been monitoring and analyzing the attack said that the Trojan stole sensitive data and relayed the information to a remote server controlled by the attackers. When Symantec accessed the remote server, it found over 1.6 million entries containing personal information belonging to several hundred thousand people.

Interesting to note was that the data was accessed from specific domains set aside for recruiters and HR personnel – the “Monster for employers” site. “Upon further investigation, the Trojan appears to be using the (probably stolen) credentials of a number of recruiters to login to the Web site and perform searches for resumes of candidates located in certain countries or working in certain fields,” Symantec wrote in their forums.

Information Security at Monster.com

Monster.com has provided little information about this latest breach, not disclosing number of accounts compromised or information as to whether it was an internal or external security breach, but this could be standard procedure given the company is still in the process of investigating and determining the extent of the damage.

However, what is interesting to note that the company has decided not to e-mail users according to a report in The Register, meaning users will only learn about it by visiting the Monster.com site and clicking on the ‘important security information’ link, or reading about it on other sites.

Additionally, the issue of storing user information particularly passwords in unencrypted format is disturbing, especially for a company that has had first hand experience with information security breaches and has had two years to firm up its security policies.

Between large corporations leaving data exposed with insufficient security measures, and un-savvy tech users using same password/user accounts across the board, theft of personal information has become a money maker for the bad guys who can use it for all sorts of nasty things; at worst, identity theft, at best, the horror spam attacks.

We have contacted Monster.com for a comment, but officials could not be reached. We will update this post in the event we hear back from them.

Update: Monster Worldwide replies to our questions

RWW: How many user accounts have been compromised?

MW: To be prudent, we are notifying all of our job seekers and customers.

RWW: Will Monster be contacting users?

MW: Monster elected not to send e-mail notifications to avoid the risk that those e-mails would be used as a template for phishing e-mails targeting our job seekers and customers. Monster believes that the combination of on-site notification and password changes is the most effective way to address the situation.

RWW: Is it an internal or external breach?

MW: While Monster is sharing the information necessary to assist and protect our job seekers and customers, we cannot disclose specific details of the situation because we need to protect the integrity of our security systems and our ongoing inquiry into the situation.

RWW: Why are passwords not encrypted, or if they are, how are they compromised?

MW: We don’t comment on specific security measures.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.