For the second time in 18 months, employment search site Monster.com has lost a wealth of personal data belonging to millions of job seekers after its database was illegally accessed. The Massachusetts-based website is warning all its customers that their names, birth dates, phone numbers, user IDs and passwords, email addresses …
Even without a breach
There doesn't need to be a breach for your personal information to be stolen. Any crook pretending to be a hiring HR department can buy personal info in bulk. I registered during the dot-bomb era and suddenly started getting tons of job offers through Monster - that turned out to be fraud schemes. Having resumes allowed the sales pitches to be exactly tailored. Most failed scrutiny over the phone. One was good enough to sucker me into a posh corporate office. The job position was exactly what I and several other applicants were looking for. Guards stood at the exit as we were told of a project that needed secrecy and new hires. And it needed thousands of dollars in training fees - fees that we could collect back by training others. I cursed and stormed out of the room. Everything was different on the way out. Rooms were dark and the receptionist was gone. It was all staged by squatters in a vacated office.
I edited my account to show fake contacts after that.
So passwords are stored in a recoverable format?
"The Massachusetts-based website is warning all its customers that their names, birth dates, phone numbers, user IDs and passwords, email addresses, sex and ethnicity have been pilfered."
WTF? Have they never heard of MD5 or SHA1?
I'd love to hear them try and justify storing recoverable passwords in the database...
Use semi-fake personal information
I use incorrect information when posting personal details online. For example, for my birth date I provide a date near it, so that the information is demographically accurate but the information is useless to anyone trying to steal my ID. This is, of course, only for sites where the information is not optional. The best way to secure personal data is to never provide it.
Vacancy being made available for new spokesperson
"no company in our business can completely prevent unauthorized access to data"
So, they need a better spokesperson AND better IT staff. Monster.com... ironic isn't it?
@AC / Ironic
No, what's ironic is the ad I saw on US TV tonight with a voice over saying "There's never been a better time to join monster.com"
He says ""We take this very seriously,". He's a bloody liar. If they fucking took it seriously, they would have taken effective measures the FIRST time this shit happened.
Amazing, ain't it? If big and presumably tech-savvy corporates keep "losing" stuff like that, what chance have we got with incompetents like our UK government keeping data safe on an ID card database? I wouldn't mind betting that, even as I speak, hackers are rubbing their collective hands together in anticipation of an early-morning milking
Further to previous post - small example:
"We are deeply sorry," said Joe Rafferty,
chief executive of Britain's National Health Service for the Central
Lancashire region. "This should never have happened." An NHS employee
lost a computer memory stick containing the health information of as
many as 6,360 patients. But the good news is, the clerk who lost the
memory stick made sure the data on the removable device had been
encrypted for privacy. On the other hand, when he lost the device,
there was a sticky note attached to it with the encryption password
written on it.
From "This Is True" (http://thisistrue.com)
If this sort of thing happens at this low level, saints preserve us when "they" get cracking on an ID database.
What about the UK?
Does this breach affect the UK version of Monster at monster.co.uk? I have my CV there.
There should be international laws in place making data collectors, regardless of who they are, liable for the damages and or losses caused to anyone who suffers as a result of a data breach.
A slightly damaged reputation does not help the victims of such incompetence. Punitive measures resulting in the loss of large sums of money may, just may make a difference to how these data hording entities look after our personal data. Or at least cause those incapable of protecting data to shut up shop.
"The company has decided not to email or phone customers"
Exactly what level of breach do they need to occur for them to think it worthwhile to e-mail people?
I agree completely - My account also has fake email, phone number, mailing address and no resume on their site.
Morons are the only ones who risk getting their social security number lifted since Monster does not require one and it serves no purpose putting it on a CV.
Monster is probably the most popular website for jobs, at least here in Metro NY. I can attest to this as a significant portion of the lucrative IT contracts I've engaged in were through the monster (Dice.com second place). Please note I am not affiliated with either website but the fact remains that recruiters use it, Fortune 100 firms use, job seekers use it, and yes, scammers use it as well.
Once you've registered you can reply to prospective employers either by emailing them or cutting and pasting your CV in a message. If you decide to have your resume online by all means DO NOT make it searchable unless you have nothing better to do than delete spam for 8 hours a day. It is precisely for this reason that having a separate email for resume sending/receiving is must since I've seen lots of bogus postings on that site (don't get me started on those "job fairs").
I realize the practice of registering with false info is a violation of practically any website's T.O.S. you use but what guarantee do you offer that my data is safe? Your "commitment to privacy" and other blanket statements on your site offer little consolation when my credit score goes down the toilet because someone opened up loans/credit cards with my pilfered info.
When it comes to my personal info the line between paranoia and vigilance is very, very thin.
P.S., any service that makes you pay a fee for employment is automatically a scam. I have noticed them sprouting up like weeds. "The most 100k jobs" hahahahahhaha!
Breach is probably for all countries
I just went to monsterboard.nl and it also contained a 'warning' with advice to change your password.
Who in this day and age stores passwords unencrypted? That is really security 101...
Worry not, use http://supergenpass.com/ at least it will stop automated systems compromising your webmail account, because YOU don't use the same password do you? unlike the rest of the great uneducated.
So that explains it!
I've received no less than 3 Monster.com fishing emails today.
Unencrypted passwords in database = Fail
Unencrypted passwords in database that has been hacked twice already = Epic Fail
not deja vu
Deja Vu is when you feel that you've done or seen something before *WHEN YOU KNOW YOU HAVEN'T*
It doesn't mean "when something happens twice"
They don't take it seriously
For months now I've been getting spam money-mule jobs ads sent from "monster.com" (yeah right) sent to a unique email address I supplied to Monster and no-one else. I accept there's nothing Monster can do now after the event, but when I notified them when it started, Monster never acknowledged that this was evidence that someone had ransacked their database - for email addresses at the least.
gotta love it
I read what Monster had to say about this. It's always funny when these big sites screw up and lose your data they tell you "change your password, we may be forcing you to change your password'.
Why can't they secure stuff to begin with. Why does a disaster have to occur before security is where it should of been? It's stupidity like this that has shoved PCI compliance down the throats of the small merchants. The small merchants that always kept their data secure have to now pay even more to stay afloat to comply with regulations they were probably already for the most part compliant of from the beginning because these big company's screw things up.
Re: What about the UK?
Yes, the UK site has the same info as the American and Netherlands sites, so it does seem like the whole lot has been compromised. I've not been looking for jobs recently so have just cancelled my membership - not that it'll help now my details are already lifted. Hopefully, if enough people vote with their feet, they (and others) might take security seriously!
Further to "they don't take it seriously"
In response to my first email to Monster last April about spoofed/frauduent mail sent to email addresses leaked from the Monster database, they replied:
"Thank you very much for bringing this matter to our attention. Monster takes both spamming and "phishing" emails very seriously, as part of our commitment to making our users' experience on our site as safe as possible. As you may know, Monster takes proactive measures to provide job seekers with a safe job searching forum, but we also rely on our users to report these types of issues so that we may take appropriate action.
In order that we can investigate the origin of this message, could you please forward the entire email complete with full header information..."
In response to that (a selection of "Green Tree" spam), Monster wrote
"Thank you for taking the time to bring this to our attention. The email you are inquiring about is called an 'email spoof'. This e-mail spoof uses the Monster name to add credibility to the fraudulent offer. Please be aware that this is not a Monster authorized email.
This email is attempting to engage unsuspecting individuals in a money laundering scam. It is in your best interest to disregard the email. Do not engage with the entities! If you did begin correspondence and have started the required financial transactions, it is recommended that you contact local law enforcement immediately to request the appropriate steps to absolve yourself from any wrong doing."
I pressed them further on the fact that the email address being used by the scammers to contact me (of the form firstname.lastname@example.org) had demonstrably been lifted from their system
"Given that the fraudulent email names Monster Jobs AND is being sent to an email address I supplied SOLELY to Monster Jobs, I put it to you that this is strongly indicative that the fraudsters have specificially harvested email addresses from the Monster website or database. I find this worrying.
I would like you to recognise my point, and acknowledge that you are taking seriously the harvesting (by fraudsters) of addresses from your site."
Date of birth - on a job seekers site?!
People put dates of birth into Monster. Really? In 2009? I thought age discrimination was illegal. Next you'll be telling me that people are stupid enough to put in marital status, religion and children's ages. DOH
Question - does anybody know...?
Monster also has street addresses unencrypted - can we assume those were taken as well?
If so, do I need to watch out for loans being taken out or weird credit card stuff?
And it appears you can't cancel an account now? Unless I'm being blind...
Oh, and to cap it all, they can't even hide errors properly:
Cowboys like this give ASP developers (classic as the old site, .net as the new) a bad name :(
"He says ""We take this very seriously,". He's a bloody liar. If they fucking took it seriously, they would have taken effective measures the FIRST time this shit happened."
I don't think they are taking it seriously third time.
Browsing a few pages, with right-click and view source later what do we find?
A hidden field with what looks suspiciously like an SQL phrase.
Nurse, bring me the syringe I want to do an SQL injection.
Somewhere there is programmer who is depriving a village of its idiot.
Rob: "And it appears you can't cancel an account now? Unless I'm being blind..."
Login, hit Preferences up top (the near invisible grey link) then Cancel Membership --> Cancel Membership.
Recently went for a job interview with TMP worldwide
I recently went for a job interview with TMP, this is the company which used to own Monster according to them. Do a little digging and you find they still own a sizeable chunk of the website.
Being smart at the interview, I decided to discuss the company history and the evolution of recruitment on the H'interweb.
So some words of advice if you get invited for an interview.
1. Don't talk about security.
2. Don't talk about mistakes.
3. Don't talk about losing information.
4. Crappy terms and conditions.
Do talk about all the intresting things they have done.
1. Like their on-line recruitment fair
3. shall we move onto something else
They did ask me did I use Monster. I said no because they had a bad rep about spam and protecting information.
So what the problem with the company: Too many web admins working in isolation with nobody checking up on them.
What was the job. Web Admin
Did I get the job? We mutally agreed that I wasn't suitable.
Am I glad. Yes!
Monster always were a useless bunch. Jobshite too
Both Monster and JobShite sent me Herbalife distribution "opportunities" when I signed up to them. Both of them told me that these were genuine job offers when I put it to them that these were pretty damn close to Ponzi schemes, if not actually Ponzi schemes. I asked not to be sent them any more, but they demurred.
I will never, ever, ever, ever (is that clear enough ??) use either Monster or JobShite either as a recruiter or a candidate. That was enough evidence to demonstrate that both are totally unprofessional, and that they solely wanted the ad income, whatever its source.
Imagine my surprise when a few months later Monster suffered their first data breach.
Bill, coz his business "ethics" match to a tee
This is what I got [eventually] for my question "RE the recent security breach, can you confirm whether passwords are being stored in plain text (i.e. unencrypted) form in the Monster databases?":
Response (Christy Thompson) 02/03/2009 08:31 AM
Thank you for contacting Monster Global Customer Services. I do apologize, but I can not confirm how the passwords are stored in our database.
Monster Global customer Services
- Product round-up Six of the best gaming keyboard and mouse combos
- China building SUPERSONIC SUBMARINE that travels in a BUBBLE
- Boffins attempt to prove the UNIVERSE IS JUST A HOLOGRAM
- Review Raspberry Pi B+: PHWOAR, get a load of those pins
- Linux turns 23 and Linus Torvalds celebrates as only he can