Monster Worldwide Inc. is advising its users to change their passwords after data, including e-mail addresses, names and phone numbers, was stolen from its database.
The break-in comes just as the swelling ranks of the unemployed are turning to sites such as Monster.com to look for work.
The company disclosed on its Web site that it recently learned that its database had been illegally accessed. Monster.com user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity and, in some cases, users’ states of residence.
The information does not include résumés or Social Security numbers, which Monster.com said it doesn’t collect.
Monster.com posted the warning about the breach on its site Friday morning.
“We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, e-mail addresses, names, phone numbers, and some basic demographic data,” said the online warning issued by Patrick Manzo, senior vice-president and global chief privacy officer at Monster Worldwide.
The information illegally accessed does not include resumes, social security numbers or personal financial data, Manzo said.
He said upon learning about the incident Monster immediately launched an investigation and took corrective steps. “The company continually monitors for any illicit use of information in our database, and so far, we have not detected the misuse of this information.”
Manzo said protection of customer data is a “high priority” for Monster, and noted that the company’s newly redesigned Web site has “and will continue to add” security features to protect customer information.
He said Monster devotes “significant resources” to ensure it has appropriate security controls in place to protect our infrastructure.
While no company can completely prevent unauthorized access to data”, he said, by reaching out to job seekers, Monster believes it can “help users better defend themselves against similar attacks.”
Monster doesn’t plan to send e-mails to users about the issue, according to Nikki Richardson, a Monster.com spokeswoman. The SANS Internet Storm Center also posted a note about the break-in on Friday.
USAJobs.com, a U.S. government Web site for federal jobs, is hosted by Monster.com and was also subject to the data theft. USAJobs.com also posted a warning about the breach.
Monster.com has been checking for misuse of the stolen information but hasn’t yet found any, it said. The company has made changes since discovering the break-in but won’t discuss them because it doesn’t discuss security procedures publicly and because it is still investigating the incident, Richardson said.
She also would not disclose the volume of data stolen, but Richardson said the company decided it would be prudent to alert all of its users via its Web site.
The company advised users to change their passwords and reminded them to ignore e-mails that purport to be from the company and that ask for password information or instruct the user to download anything.
“Monster will never send an unsolicited email asking you to confirm your username and password, nor will Monster ask you to download any software, ‘tool’ or “access agreement” in order to use your Monster account,” the online warning document signed by Manzo said.
It urged users to review the information on Monster’s security page, http://my.monster.com/securitycenter, which provides “a substantial amount of information about different types of Internet fraud.”
The 2007 Monster hack attack
Monster.com was also hit by hackers in mid-2007.
At that time, the hackers obtained log-in credentials for companies seeking employees and used them to access Monster.com’s database of job seekers. Names, e-mail addresses, mailing addresses, phone numbers and resume IDs were snatched from the database.
Around 5,000 of the people whose data was filched lived outside of the U.S.
A Trojan – Infostealer.Monstres – worked as an automated search bot that located candidates, captured their contact information and sent it to a remote server controlled by the criminals.
Security firm Symantec Corp. said that the server, though located in Russia, was hosted by a company out of Ukraine.
By using Infostealer.Monstres to do their harvesting, the attackers also covered their tracks – the Trojan could be planted on any computer previously compromised, with the search seemingly originating with that computer’s owner – and could easily spread the work out among a number of IP addresses, probably to slip under any Monster radar potentially watching for unusually large numbers of search requests coming from any one location. (There is no evidence at the moment that Monster deploys such radar.)
In that attack, Monster said that it had found contact information on the hackers’ server for about 1.3 million people who had posted resumes.
The thieves also probably relied on some standard tactics to avoid detection, including running the searches from innocent PCs and spreading out the work. Spammers and malware spreaders use zombies to send junk mail and malware for the same reasons.
Personal information purloined from the Monster resume database was used to create, then send, targeted phishing e-mails — the term is “spear phishing” — that spread other malicious software or recruited “money mules,” the middlemen who transfer money from a phished bank account to a foreign bank account. It’s the emphasis where Monster and Symantec part.
In 2007, the Monster.com site was the subject of an attack that same year that inserted malicious code onto certain pages of the site, automatically downloading a virus onto computers that visited the pages.