Employment search site RecruitIreland.com has reopened its doors following a security breach that exposed users' names and email addresses. The site, which claims to add 350 new users each day and email a newsletter to 170,000 registered job candidates, warned that some clients were already receiving spam that tried to recruit …
Everyone interested by the data...
... except employers.
It could have been worse
Hackers got first name, last name and an email address. I was a victim of the subsequent phishing attack which was pretty amateurish. But it does illustrate (yet again) that some sites really aren't paying as much attention to keeping their data safe as they should. This is especially true of sites which deal with real world names and data. It's one thing to have a pseudo hacked on a forum, it's quite another when spammers have your info in real life.
Yes, I got one of these e-mails. I'm glad I now know what it was all about. Looking at the thing rang alarm bells and I just deleted it, I have also deleted my account with RecruitIreland. I haven't used it in years and sheer inertia kept it going. So in one way the spammers did me a small service.
Coding standards at all time low?
I've been recieving spam for the address I've used on jobsite, for years. I never
saw action or apology from jobsite when it started. Has recruitireland actually apologised to its subscribers?
Well done el Reg - no spam to the address I use with you and long may it remain so.
I stopped using Monster because I have been getting lots of junk email ever since I used Monster. I am hoping that jobsite and a few others will be helpful in job hunting. The worst are JAM. I have been getting all sorts of useless jobs coming my way from them. I only just finished university, I don't think I will be able to get a 60k first job!
Don't get me started on job agencies and how they love to mangle CVs.
I remember that site
Now, I *seem* to recall RecuitIreland as being one of the ones that would respond to simple "Anything' or 'x'='x'" type submissions (basic security 101 stuff), by sending back XML stacks of user data. I quite recall my surprise, the first time it happened: it was all indented properly, and had namespace references, and everything. This was really pretty XML.
I only got it to send me back my own data (including values I had submitted on previous sessions, though, so it was definitely coming from a datastore, somewhere) but I wasn't pursuing it with any rigour (I wasn't trying to get a job with a recruitment website: I was mainly applying for jobs with banks, in fact...! Just think: Irish banks. Seemed like a pretty good bet, at the time. How things have changed!)
I didn't know what to make of this XML-squirting behaviour. AJAX didn't exist (as a web 2.0 buzzword, at least), and so I just guessed that what I was seeing was intended for some sort of VB application they were using internally. year later, I realised that it may have been an early example of the use of an XMLHTTP object for asynchronous page loading, since I remember that the site in question didn't work in IE 4, either.
It was a lot of years ago, and it may have been completely unrelated to this story - but it does illustrate how basic security will fix 90% of the problem, and that one of the best excuses for coding to standards, is that it stops you from being interesting enough to look at, in the first place.
I wrote to the site maintainers, at the time, telling them about this odd behaviour, but never got any acknowledgement (I never got a job in an Irish bank, either, but in hindsight that may not have been such a bad thing).
Why did they patch it 3 times?
To be sure, to be sure, to be sure.
I just changed my password over at Monster. The new password is POSTed over an UNENCRYPTED connection.
Isn't that comforting? I just spent two weeks implementing a custom user security system for my new user registration application that I built from the ground up, with SSL, passwords stored with SHA256 & salt,, multiple security redundancies... and here Monster can't be bothered to apply the basics.
"I apogolise from the heart of my bottom"
@ Jan 0: yes, Recruit Ireland emailed its subscribers to apologise for the security breach. Haven't visited their website, but their Facebook page carried the apology as well. Not sure if my details were hacked, I suppose I'll know when I get some dodgy job offers!
- Review Is it an iPad? Is it a MacBook Air? No, it's a Surface Pro 3
- Microsoft refuses to nip 'Windows 9' unzip lip slip
- Tesla: YES – We'll build a network of free Superchargers in Oz
- Netflix swallows yet another bitter pill, inks peering deal with TWC
- Special Report Roll up for El Reg's 3G/4G MONOPOLY DATA PUB CRAWL