That's a Monster of a data breach

In Monday's IT Blogwatch, Richi Jennings watches bloggers watch get hacked -- again. Not to mention a hot accessory for your sniper rifle...

Nancy Gohring fries an egg on it: logo is advising its users to change their passwords after data including e-mail addresses, names and phone numbers were stolen from its database. The break-in comes just as the swelling ranks of the unemployed are turning to sites like to look for work.
The company disclosed on its Web site that it recently learned its database had been illegally accessed. user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity and, in some cases, users' states of residence. The information does not include Social Security numbers, which said it doesn't collect, or resumes.

Dan Goodin has déjà vu:

For the second time in 18 months, employment search site has lost a wealth of personal data belonging to millions of job seekers ... The company has decided not to email or phone customers to warn them of the breach ... The only warning is this undated advisory, which users will only know about if they happen to visit the company's website.

It's at least the third time has put its users at risk after suffering a significant security breach. In August 2007, a Trojan-horse program used pilfered employer credentials to siphon resume data belonging to some 1.3 million people. Within days, many users started receiving targeted phishing attacks that tried to trick them into downloading malicious software or take jobs as money mules for online crime gangs. The company made much fanfare about plans to improve security, but two months later, it was hit again when attackers hijacked some of its job listings and used them to infect visitors with malware.

Lidija Davis is disturbed:

The issue of storing user information particularly passwords in unencrypted format is disturbing, especially for a company that has had first hand experience with information security breaches and has had two years to firm up its security policies.

Between large corporations leaving data exposed with insufficient security measures, and un-savvy tech users using same password/user accounts across the board, theft of personal information has become a money maker for the bad guys who can use it for all sorts of nasty things; at worst, identity theft, at best, the horror spam attacks.

Michael Dehaan agrees:

[It] leads me to wonder why there aren't federal standards against storage of plaintext or plaintext-equivalent passwords in web databases. Not notifying users when it happened is worse -- how many people actively look at monster's homepage?

This is also a good reason why you should never reuse a password for multiple websites. Why? You can't always trust the code and the people behind them ... It used to be that viruses were more destructive and designed for amusement; now it seems they are largely used to build botnets.

Joel Esler advises:

I am sure some phishing attempts will come of this, as both of the press releases allude to.

Monster states in their release that you will be required to change your password on the site soon.  So I'd recommend that you go ahead and do that proactively.  Don't use a password that you'd use anywhere else. (For those of you that use the same password on and  You know who you are!)

pimpimpim just laughs:

The change password feature does NOT ask you for your old password. So anyone who finds an open monster session e.g. in an internet cafe can change the password of that user and kidnap the account ... Not very promising.

db32 has a better idea:

If you have a Monster account cancel it and leave a note in the "why are you canceling?" box.

Don't make it some rant, but make sure you explain that you will not tolerate their incompetence, their unwillingness to take security of their users personal information seriously, and their total lack of integrity by trying to hide the breech from their users ... Finding jobs is all about is taking down misbehaving companies.

This Anonymous Coward sees the irony:

If only there was some kind of service where you could advertise for a network security guy...

And finally...

Buffer overflow:

Other Computerworld bloggers:

Like this stuff? Subscribe to the RSS feed.

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 23 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email:

Previously in IT Blogwatch:

Shop Tech Products at Amazon