Monster.com Attacked, User Data Stolen

Placid writes "The BBC has an article detailing a successful attack on the US recruitment site, Monster.com. According to the article, 'A computer program was used to access the employers' section of the website using stolen log-in credentials' and that the stolen details were 'uploaded to a remote web server'. Apparently, this remote server 'held over 1.6 million entries with personal information belonging to several hundred thousands of candidates, mainly based in the US, who had posted their resumes to the Monster.com website'. The article also links the break-in to a phishing e-mail sent out recently where personal details were used to entice users to download a 'Monster Job Seeker Tool.'"

Monster attack steals user data

[Nibbler999]

I like the BBC headline better.

Re:Monster attack steals user data

[ObsessiveMathsFreak]

I liked it when Slashdot got its tech stories before the mainstream news outlets.

hmmm

[wizardforce]

so Monster had no way of preventing some set of IP addresses from downloading over a million entries? does that sort of thing happen alot and they didn't think it was unusual or what? it would just seem to me that if there were alot of servers downloading an unusual amount of entries that there should be some way to prevent that...

Re:The real question is

[dfgchgfxrjtdhgh.jjhv]

the government already has all that data (and more), but it is worth quite a lot to spammers.

Re:Monster doesn't help anyway--why use it?

[bakana]

Yes, who you know is important. But, if I know someone that works a cool place and a job isn't avialable, where do I look? Your friend isn't going to create a job for you, he can tell you when a job will open up. I highly doubt he can talk his upper managment into thinking a 3rd sysadmin would be needed. A lot of people get jobs because of who they know, for the rest of use who don't rub elbows with the Donald Trumps of IT, we get our jobs the old fashioned way. You either get recruited out of college, like myself, or you go through newspaper, Monster.com, and Dice like millions of others.

Re:Phishing Attack

[timmarhy]

It seems to be a universal fact that to be in HR you need to always have an IQ lower then the people you are interviewing. It certainly has been in every company i've worked at.

remember, these are the type of people who were putting "5 years experience required in windows 2003 admin" in 2005.

Re:Phishing Attack

[arivanov]

Err... You are missing the point.

Monster.com was broken in for spearphishing, not for sending bulk emails regarding "Bank of America". Spearphishing as a term is used to describe a phishing set up which is designed to hit a victim specifically by using a victim specific ruse based on knowledge of personal data.

Recruitment agencies are actually a prime target for such attacks:

1. Nearly all of them (even the specialised unix oriented ones) require all CVs in Microshit Word so pushing a custom Trojan is trivial.
2. Nearly all of them systematically violate the Data Protection act and other similar statutes which require them to remove customer data from their databases when no longer needed. So far in the UK only 3% of the ones I have asked to remove my details have complied with the request. Amidst the most vile violators are the two biggest MOD oriented agencies and more than 50% of the top 20 (by job posting numbers).
3. In addition to that apparently at least one UK (and international) jobboard also does not remove customer data even if you delete your accounts from there. As a result the agencies are re-fed your details on a regular basis.
4. The agencies possess enough data for a perfect spearphish: date of birth, nationality, postal address, occupation, prior job history, current and past salaries as well as further background. In some cases where they have been subcontracted to do HR they possess even more data like NSNs/SSNs, credit ratings and the like.

Frankly this is an industry that is in desperate need to be smacked with some vile regulation compared to which SOX and the recent health IT regs in the US are a child's play. They need to be straightened out and made to follow the laws of the land with regard to customer privacy. At the moment they are systematically ignoring them and in many cases they possess more of your personal information than your bank.

So let's hope that the Monster case will cause some moves towards that.

Re:Blame the data security officers & project

[timmarhy]

it's called division of power. don't allow any one person the power to perform such a hack, and it raises the bar a lot.

Re:Phishing Attack

Spearphishing as a term is used to describe a phishing set up which is designed to hit a victim specifically by using a victim specific ruse based on knowledge of personal data.

And this month's award for the shittiest neologism goes to...

Re:"US recruitment site"??

And the WWW was originally designed by that well known Briton who was living in France and working in Switzerland...

Beside the articles is written from the POV of the British reader, being as it's on a British news site and it was necessary to distinguish it from the UK portal.

Not everyone lives in the US you know...

Re:Monster doesn't help anyway--why use it?

[crabpeople]

Do you work for a newspapers classified section or something? Ive done literally hundreds of craigslist deals and the worst you get is flakey people who hum and haw wasting time, or ask stupid questions. Cheque scams? Ive never had anyone even offer to pay with anything but cash...

The majority of items in my apt were purchased off of craigslist. Not to mention my car, my current job and the apt iteself.