Monster.com database hacked again
- by Scott Whigham on January 26, 2009 10:35 AM
Over at LearnItFirst, we've used Monster.com in the past to post jobs and, thanks to the power of Digg, reddit, and Hacker News, I recently learned that a massive hack against the Monster.com database successfully filched user names, passwords, and other sensitive account info. This is, unfortunately for me, the 2nd time in 18 months that this has occurred to Monster.com. I did not know about the 2007 attack or else I would've never created my first account (in 2008).
Monster made this information public when it posted a web page summary of the hack this past Friday (Jan 23).
Wait a minute...
Go back and re-read that sentence...
Monster did not choose to email the users whose information was stolen. Instead they chose to put up a single web page with the information (here)... You have to wonder why a massive company would not want to notify its users directly. I certainly cannot think of the reason Monster would choose to do it this way. This seems so arrogant that it sickens me.
What was stolen?
This time, just like the attack in 2007, the information stolen was the data of employers, not potential employees (i.e. job seekers). And both hacks were reporting by the same third party company (Symantec). If you want more information about the hack, read this, this, and this. Check out this blurb from the web page on monster.com:
We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data. Monster does not generally collect - and the accessed information does not include - sensitive data such as social security numbers or personal financial data. Neither resume nor customer transactional data were compromised.
So this tells us that company/recruiter data was stolen and that no one's resume was stolen. Phew!
What they aren't telling us
Monster sells a few different types of products to employers: job postings and resume search. So the hackers stole the data - user names and passwords - for employers... That means that the hackers can now login to Monster.com and perform resume searches that return email, phone, address, and work history for every single job seeker on the site. Bang - if you have a Monster.com job seeker's account, your data has probably been stolen too.
What happened after the 2007 attack was that the hackers did exactly what I just described: they "stole" the Monster database, logged into Monster.com using the stolen credentials, and stole job seekers' data. Once they had that data, the phishing attacks began... In the letter from Monster last Friday, they address this idea:
... we want to remind you that an email address could be used to target "phishing" emails."
So by stealing the employers' login information, the hackers gain access to the job seekers' data. Wonderful. Just friggin' wonderful.
The Monster Solution
So how is Monster handling this? Badly so far in my opinion. First thing: they didn't send an email to users about the attack. The only notification that an employer or job seeker receives is when (if?) the visit Monster.com. Check out this screenshot from Jan 26, 2009:
Kudos to Monster for addressing this on their site but it isn't enough. As an employer (LearnItFirst.com sells SQL Server training videos, Windows Server training videos, and more IT Training videos), I only login to Monster when I need to post a job or review a job's applicants. I have no jobs up there at the moment so I would've have logged in... And, had it not been for my seeing the post about it on Hacker News, I would've never heard about.
In the web page describing the hack, Monster makes a few statements:
Immediately upon learning about this, Monster initiated an investigation and took corrective steps. It is important to know the company continually monitors for any illicit use of information in our database, and so far, we have not detected the misuse of this information.
Of course the questions on anyone's mind is, "How did this same situation happen again in 2008/2009? What exactly are those corrective steps that you put in place?" and "Why is it that only the people who visit your website should learn of the problem?"
So, back to the letter...
The letter suggests that I login proactively (instead of waiting for Monster.com to send me an email suggesting that I change my password). I actually logged into Monster.com this morning and here's the page I see after logon:
They are now asking me extremely sensitive information - information that could be used to identify me on sites across the world or by telephone. Some of the questions asked are:
- What month and day is your anniversary?
- What are the last 5 digits/letters of your driver's license number?
- What is the name of the street that you grew up on?
And the worst thing is that you must answer three of these questions to continue. That's right - not only has Monster's database been hacked twice recently and had sensitive account information stolen but now they want even more sensitive information from me.
I said, "No thank you"
Monster did offer some advice in the letter:
"In order to help assure the security of the database, you may soon be required to change your password upon logging in or upon notification by one of Monster's customer service representatives. We would also recommend you proactively change your password yourself as an added precaution. We regret any inconvenience this may cause you, but feel it is important that you take these preventative measures.."
So I took Monster's advice and I have taken preventative measures: I have asked that my account be removed. I will not answer those security questions that Monster asks nor will I do business with Monster.com again. I have two job postings remaining on my account now and I've just an email explaining that I want a refund because I do not trust them with my information. Here's what I wrote:
I am not satisfied that you will protect my online account information and I'd like two things:
1) A refund on my remaining two job posts
2) My account removed from your databaseThis is the 2nd time in 18 months that you have had a data breach. When I logged in today, you ask me three new security questions - which, if I answer, I think will get passed to criminals and this would therefore disrupt my entire online security.
I will not complete this questionnaire nor do I wish to continue using your company. Please refund my money and remove my name from your database.
I also notified the FTC, my local state attorney general, and the Better Business Bureau to inform them of the problem. I want my account utterly removed from their database; I don't just want to unsubscribe from emails or what not. I care not to do business with them.
It upsets me that Monster did not notify its users proactively and it is for that reason that I wrote this article. I hope that someone who had not heard of the breach learns about it from here and takes "preventative action" so that they are not vulnerable in the future.
And you don't think this happens daily on linkedin, yahoo, careerbuilder? Very naive my friend!
And you don't think this happens daily on linkedin, yahoo, careerbuilder? Very naive my friend! The only difference is, these guys disclosed it
aaaaaaaaaaaaaaaaaaaaaaaaaaaaa
I don't think it's naive at all. This is the third big breach Monster has had. One breach is forgivable. But *three*? C'mon. Other big job sites haven't made three major breach announcements.
jobs.nsw.gov.au has also been hacked - site is still down - over 1 week now. Like Monster.com they also chose not to directly notify its users that their personal information had been stolen by hackers. I blogged about it, see my URL :0
Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon.
I totally true, I really love your site thanks for the story
I would propose practising subject merchandising, let me explain. You can get a video recording professionally made for just about $47.00 97.00 (30-60 seconds) showing your outstanding desk drawer slide. You can even test how easy it is to destruct your challengers and blast it around over 100 internet video sites for as little as $5.00 per site to be done manualy!You can get keyword search done for you professionally, describing the keyword words that will get you a decent amount of search volum, yes with shorter competing pages. Thank you for this article! I've just came up a without doubt perfect archive about true marketing Hear it!
A thoughtful insight and ideas I will use on my blog. You've obviously spent some time on this. Well done!
Shame on you for creating another terrific post! Awesome stuff, keep up the good work. I see a lot of potential!
It's nice to see this site is finally getting the attention it totally deserves. Keep up the good work.
Hi, perhaps this post may be off topic but anyhow, I’ve been surfing around your blog and it seems really cool. It is obvious that you know the subject and you are fervent about it. Thanks
It can pull down your offline commercializing prices too if you get it finished decently. Picking Up somebody who not only does SEO but does the content creation and distribution for you as well as keyword search, updating content on your web site and blog, having professionaly published press releases at poor costs as remarked above is what suits many small business proprietors and yet there are numerous who try out to do it themselves, they get lost as they dont have the cognition or the technical sciences to do it rapidly and they lay off. Thank you for this article! I've just found a easily true news about seo Examine it!
"It can pull down your offline commercializing prices too if you get it finished decently." - I agree with that point. Definitely will drive down prices.
Very good text. I've found your blog via Google and I'm really happy about the information you provide in your posts. Btw your blogs layout is really messed up on the Kmelon browser. Would be cool if you could fix that. Anyhow keep up the great work!
Love the blog...people are missing out not using Twitter more often!
I use Mass-Follow.com to submit my Twitter to like 400 places
Yea the more twitter the better. I really am addicted to it. It is so easy to use and read.
What in fact captcha code?, pls provide me captcha code codes or plugin, Thanks in advance.
I normally don’t post in Blogs but your weblog forced me to, wonderful work.. beautiful …
Nice post. This one had me guessing
Hey extremely nice blog!! Man .. Gorgeous .. Awesome .. I will bookmark your web log in addition get true feeds also...
I've been trying to speak with my Natwest Business Account "relationship manager" since before Christmas only direct number to her is mobile, always on voicemail where she says she will endeavour to get back to me by the end of the day ha ha ha. The office number where I am assured that someone will be able to help me quickly tells me (when it is not constantly engaged) and I quote, that I will need to speak to "one of her little chums".
Very interesting way to market on facebook. I also found a way to automate several very powerful methods of getting users. You can capture ID by groups or pages or wall posts with this program. Then once you have them you can do a friend blast to your user ID or sudo profile. This by passes the captcha codes too. There is also a cool chat program that you can setup scripts and keyword to work with. This program, when I use it I can see a spike in my site traffic. It is amazing...
I appreciate you for maintaining such a useful portal. this blog was not just informative but also very inventive too. We come across a limited number of professionals who are capable of write not so easy articles that creatively. I are on the lookout for articles about this subject. We ourselves searched in many blogs to come across knowledge with respect to this.I will keep coming back !!
Hey very nice blog!! Man .. Beautiful .. Amazing .. I will bookmark your blog and take the feeds also...
I tend to agree with your post. I've had difficulty finding any worthwhile information on this subject. Thanks for your thourough and informitive post.
I keep listening to specific news speak about getting free on the internet grant applications so I have been looking around for the best web site to get one.