Slashdot Mirror
Monster.com Data Stolen, Won't Email Users
chiguy writes "There's been another break-in at Monster.com. It's surprising that there are still unencrypted passwords stored in database despite the previous hack, as is the decision to not email users — presumably so that no one will make a fuss. From PC World: 'Monster.com user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users' states of residence. The information does not include Social Security numbers, which Monster.com said it doesn't collect, or resumes. Monster.com posted the warning about the breach on Friday morning and does not plan to send e-mails to users about the issue, said Nikki Richardson, a Monster.com spokeswoman. The SANS Internet Storm Center also posted a note about the break-in on Friday.'"
They did the mash. They did the monster mash.
Why the hell is a job search site collecting birth date, gender, and ethnicity information?
When will companies face accountability for the damages they cause due to lax data security?
I wonder why monster.com holds on to their data (especially e-mail addresses) for so long.
At work, I see incoming mails from monster for employees that have left the company 5-10 years ago.
They should understand that someone looking for a job might actually find it, and his e-mail address could possibly change. After having received 550 replies on mails sent to members a couple of times, they should just delete the record (or at least the apparently invalid mail address).
Instead, they just go on trying...
If only there was some kind of service where you could advertise for a network security guy...
Spammers and phishers already have that data, name+email etc... sounds like a drop in the bucket to me. -rich clearsite.sourceforge.net
I am a nigerian prince who wishes to hire you. I will send you a check for $60,000 to cover your employment of $55,000.
All I ask is that you purchase $5000 in laptops to send back to the parent company here.You can even keep one as your work computer.
As soon as we get the laptops we will send you another check for $100,000 to hire two employees. We only ask the extra $10,000 be sent back to the parent company.
In these economic times people don't seem to care so much about "silly" things like privacy and security when they're scrapping for a job. In a better economy, I think people would be more inclined to make a big fuss. Sad.
--
So who is hotter? Ali or Ali's Sister?
Change your password. The rest of the info is already freely available from the resume you posted to Monster, right?
The real question is: Why are they storing plaintext passwords? That's inexcusable.
Maybe the hackers are hiring? (No polygraph or pee tests required.)
Leave the gun, take the cannolis.
Since this was their second data breach, and it doesn't look like they learned anything from last time I had them delete my account. It is not something that you can do as a user. You have to get one of the techs to do it. You can do it through an online chat. Also make sure they delete account and not just make everything private.
... I just got a job offer from the Russian Mob!
And I could not go to that site and change my fucking password fast enough. Not only because of the personal info that is in my Monster account, but because it's one of the handful of 'high security' passwords I use at few different sites-- if the bozos who made off with this data tried that password at some of the right other sites they could have ended up with a few of the keys to my kingdom.*
I think it is complete and total BS that Monster is not taking active steps to alert users.
I've been in the same job for 8 years, but I always keep a fairly up to date resume available on Monster. Haven't gone there recently though, so I would never have known about this if not for the story breaking on some of the news sites I read.
* Please don't give me any bullshit about 'you should have a separate password for every site'-- let's see how many completely random 14 character alphanumeric passwords YOU can memorize!
I went in to change my password to something over 25 characters, with letters (upper and lower), numbers and specials characters. It kept notifying me that the pass was not strong enough. I reviewed and followed the instructions, then extending it to over 50 characters. I received the same warning message even when clicking on the submit button - wtf?
After several attempts, I tried logging out and logging in with the new pass. Guess what, it did change!
Bad interface, bad notifications, bad programming , bad (or no) testing. No wonder they got had.
I mean really, if you can't design and code a simple change password feature....
This is rediculous now. In 2007 they had the same thing which included PASSWORDS and frame it as business contact info or the same thing included in your business card so don't worry...oh and chance your password because they have that too.
I would be fired if we had a breach of security and I let out the door unencrypted passwords. I mean really you have to assume at this point that data like that will be stolen and some point and have a plan to deal with it.
The unencrypted passwords part just kills me.
Anyone have their compliance offiers email Patrick Manzo ?
If you have a Monster account cancel it and leave a note in the "why are you canceling?" box. Don't make it some rant, but make sure you explain that you will not tolerate their incompetence, their unwillingness to take security of their users personal information seriously, and their total lack of integrity by trying to hide the breech from their users. Then explain that you will try to get everyone you know to cancel their account for their own security. Finding jobs is all about networking...so is taking down misbehaving companies.
The only change I can believe in is what I find in my couch cushions.
"No resumes were stolen."
Uh huh. So there's no possibility that the malefactors will log in with the stolen user IDs and passwords and collect resumes from people's accounts?
Dunx
Converting caffeine into code since 1982
Illegal access wouldn't have given the intruders anything if this company had not been negligent in securing the data. The fact that something is illegal is no protection, the problem is purely that they were able to access the data.
Yes they can!
the person that stole the data emailed the users instead:
Monster.com let me steal your personal information, not once but twice, knew about it, and didn't feel like letting you know, so I thought I would instead.
Click this link to send an email to monster.com to let them know what you think about their security and their policy for handling of breaches.
- The Haxors
BONUS! If you click on the javascript form (can't link directly to it) on their main page up top right that says Help and Security, there's two interesting bullet points lower right:
- Protect yourself against online fraud
- Contact us
Those two really shouldn't be so close together on the same page?
I work for the Department of Redundancy Department.
So grab their user database and send out the email notifications yourself!
Talk about some "monstrous" bad web security.
Aw Frell this
security notice on the front page. They probably think that email about data breach would feel like phishing, so they will require password resets at next log-in across the board for everyone affected. http://help.monster.com/besafe/jobseeker/index.asp .j.
I can find that very same information about anyone (except their passwords) here:
http://www.public-records-now.com/
I'm not terribly surprised. They have a casual approach toward development and quality assurance. In the early days of Monster at TMP Worldwide the QA department consisted of just two people - Fidelity demanded they focus more on QA so they brought me in (Fidelity was and probably still is their single largest account. At the time probably 75% of the jobs were Fidelity postings).
The code running the site was atrocious - and the web server consisted of a single DEC Unix box. They had terrible cross-browser issues (I can't remember if it was Netscape, which was still dominant at the time, or MSIE which completely broke). The developers had no clue what was wrong, so I did some digging and the issue was a lot of table cells and even table rows were never being closed. I logged the defects and was given access to the code (which was Datapult PF at the time - thank god it was not easy-to-write/impossible-to-read perl). I worked with the developers (coders, really) to identify where each type of cell was being generated, and where it should be closed. The code was such that I had to print it on a line printer and trace with pens where each cell was being opened, and there were a lot of cases where the code was not nested properly. It was UGLY. Well, after a few days I had fixed the bugs and it was rendering properly in "all" of the two major browsers, and even AOL.
(as an aside, Datapult PF was kind of neat - very readable and a much better alternative than ASP. I had taken the defect tracking system and enhanced it and wanted to clean up the database schema but there just wasn't time)
Then, by the time they closed the Framingham facility and moved to Maynard, the Fidelity contract had been finalized so they axed most of QA (read: all but one person) and offered me a job as a developer - for $38K, which was just slightly over half of what I was making as a QA engineer. I told them thanks, but no thanks, that $38K is actually quite insulting.
I don't know if they have a proper QA process and department in place, but back when I was there (1997 or 1998) the only people who liked the fact that there even was QA at all was the developers. Management, sales, etc. all hated us, and the parent company (TMP Worldwide) looked at QA as a cost center. They Just Didn't Get It then, and I wouldn't be surprised if they still do not have QA now and Still Don't Get It.
I don't know what they're running for a back end now, but the response headers say IIS 6.0 so I'd presume ASP.net. For .Net and PHP there are plenty of harnesses to test for SQL injection bugs, which If THey Get It, they would be running against the site, but far more likely it's a human issue (someone selling the info, since TMP Worldwide grossly under-pays permanent Monster employees, or at least did at the time) or the Windows server has a root kit on it (if it is in fact IIS 6.0) -- or is the result of an untested bridge to other systems they integrate with. If their modus operandi is still that of TMP Worldwide and they view QA as unnecessary unless a client demands it before awarding a large contract (Fidelity is a company which Does Get It) then I would not be surprised if QA personnel and processes are both totally lacking.
It was a fun contract - don't get me wrong. I liked the people I worked with, and I liked working with the developers to fix the problem, but TMP as a whole just doesn't get it. Monster needs to be run internally like a software company, since it is a large internally-developed software project which is CONSTANTLY being enhanced with more and more features and integrated with other systems (ad servers, etc.). It's not a small project by any means and proper QA from requirements through deployment and maintenance is the only way to minimize liabilities such as this.
As an aside: does anyone out there remember the sleeping monster? The sleeping monster was in place whenever code was being moved from the staging server to the live server, or when the Oracle database would go down. The sleep
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
at least I'd know who to blame this time when my e-mail is bombarded by penis enlargement advertisements.
Didn't they just do a banner blitz announcing how new and improved they were? Most things never change.
"It's a doughnut stuffed with M&M's. That way when you finish the doughnut, you don't have to eat any M&M's."
The really kicker is the law requires the firm with a data breach to inform several state agencies AS WELL AS the person who's data has been compromised:
"The law requires that a person or agency that owns or licenses personal information about a resident of the commonwealth notify the attorney general, the director of consumer affairs and business regulation, and the affected resident if it "knows or has reason to know of a breach of security"
"Where is my mind?"
What is all this ingenuity people, does anybody expect any electronic protection mechanism to be forever 100% safe?
Monster is a very big center of interest, it necessarily attracts criminals as well as decent professionals and employers sometimes.
Exposition means vulnerability, that's universally real, nothing to do about it.
The amount of personal information about myself on Monster is limited to name and email. Never is my current employer mentioned there, never is my mobile or phone number, nor my real post address or code as such, potential employers may ask me directly. All the info on the CV (including study and old employers) is real and public, and so is supposed to be.
Nevertheless, when used with salt Monster remains an unvaluable contact point. And certain sticky headhunters calling middle of the night from overseas didn't manage to put their hands on my mobile yet.
This is why I only use randomly generated passwords for these type of sites, and store them in my password safe. They may have gotten my monster password, but they won't be getting into anything else.
--
Luck is just skill you didn't know you had.
I hadn't visited Monster in years, but this story made me go over there and log in and update my profile (after I e-mailed them asking if my account was one of those compromised.) If this was viral marketing to get them more visits, it worked in my case.
"We can categorically state we have not released man-eating badgers into the area." - UK military spokesman, July 2007
The web browser is a dead end
davecb5620@gmail.com
I am a programmer but by no means a security expert. However, when I store passwords I use an irreversible hash with salt. It's not hard to implement (1 days work). How can any site as big as monster not be doing this? I also used PreparedStatements (in Java) for executing SQL; again it's not hard and prevents injection attacks. I am baffled every time I hear of a site compromised by that type of attack. How can people not be using something like PreparedStatements? (I am especially pissed when a site makes me use one of my good passwords (by requiring numbers and symbols and certain length) them email the password back to me in plain text, or does crappy security like Monster)
ive been getting spam on my special monster email address which is ONLY USED ON MY RESUME POSTED TO MONSTER. My monster account email address WAS NOT SPAMMED (its different).
So they're completely clueless as to the extent of the data breach. Resumes were stolen. and sold to spammers.
While I tend to agree, it's also more likely to happen when people commissioning the software accurately define what "correct" means (in your "correct product" definition above).
creation science book
Just tried to cancel my membership. The page doesn't work. Neither with firefox/linux nor with Windoze/Explorer. Pretty sad
Netcraft says they are a Windows 2003/IIS shop, with Akamai doing some of the caching.
http://uptime.netcraft.com/up/graph?site=www.monster.com
http://toolbar.netcraft.com/site_report?url=http://jobview.monster.com
Was this an exploit in their webserver/SQL servers? I would assume they are running MSSQL or Oracle.
I remember their last large breach, this is unacceptable that precautions weren't made after that and this happened again.
Right after the first data breach, I called them up and demanded they delete my account and all of my personal data. The fact that there was not an option to do this online, and that I was forced to call them in person, was the first sign that their data management policies were fscked up.
I was put on hold for a long period of time, and when I finally got a real person on the other end of the line, I told them in no uncertain terms that I wanted my account removed. You want to know what their response was? He went into some spiel asking me why I wanted to leave monster.com. I mentioned their data breach, and he replied that they'd taken measures to ensure it would not happen again, so that it was no longer a reason for me to leave. That is to say, he initially refused my request. I repeated myself, this time, threatening his company with legal action if they did not remove my personal data. I also pointed out that I don't need a reason to request my business relationship with monster.com to be permanently terminated.
And now, a second breach has happened. Big surprise. Whether my information was actually removed, or simply stored in some database, I do not know. That's the problem with these companies. Personal information is the true currency of the online market. The individual user has no leverage, no recourse. The only solution is to never give out that information to begin with.
For all of you who are asking why this sort of data (name, address, phone number) is really all that sensitive in light of the fact that anyone could find such information in phone books and other public records, the fact of the matter is that an electronic database is far easier to harvest than a physical book. Data = content + format. You're also not taking into account the fact that the database of monster.com users is a self-selected group of individuals who at some point were actively seeking a job through online means. That property in itself makes the data a valued segment, which is why (1) monster.com is so unwilling to delete your information, and (2) malicious third parties want to steal it.
I assume users of Monster.com should change their password at that site and anywhere else they may have used the same password. What else can users do? Is a password change sufficient?
-Rich
Price Waterhouse Cooper and Carnegie-Mellonâ(TM)s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. I like to pass along things that work, in hopes that good ideas make their way back to me. Data breaches and thefts are due to a lagging business culture â" and people arenâ(TM)t getting the training they need. As CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices. The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html - The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action. In the realm of risk, unmanaged possibilities become probabilities â" read the book BEFORE you suffer a bad outcome.
Transcript of my chat in order to delete my account with Monster:
---
Monster
Live Chat
Save 1/25/2009 3:49:14 PM
Status: Conversation in progress
Requesting Conversation..
Sent: I'd like to know how I can delete my account?
Welcome <First> <Last>! We look forward to being of assistance. Please be aware that the conversation will close if it is idle for 20 minutes.
You are first in the queue.
The conversation request is being delivered to an agent. Please wait a second.
The conversation request has been accepted by an agent. Please start the conversation.
Received: Thank you for contacting Monster, my name is S<...>. I will be happy to assist you today.
Received: May I have your full name and email address, please?
Sent: Sorry, I fail to see what that has to do with my question.
Received: It is a verification process.
Sent: Verification for what? I ask a usage question about the site. Where/how can I delete my account. I fail to see the necessity. And beside the point, I already stated my name.
Received: I have to verify the chat.
Received: It is monsters policy
Received: Go into your preferences at the top of the account and you will see there where you can delete your account.
Received: Kaj will there be anything else.
Sent: Sorry, but you seem to have really odd policies at Monster. You seem to loose my account information (http://help.monster.com/besafe/jobseeker/index.asp) and then you ask for more of my information when I ask you how to delete my account so that I'm not party to such future losses? Does that make any sense to you?
Sent: Thanks, I'll try that.
Received: Goodbye, and thank you for choosing Monster.
---
As you can see from the order, I did not finish my comments on the policy before S<...> gave a the correct answer.
Thank you S<...> for overwriting the "policy" and acting like a human being. I honestly appreciate this ability to act like a thinking human being.
How is it POSSIBLE that the hackers compromised user passwords?
Cryptographic hashes, anyone?
I'll be canceling my account too. This is simply too incompetent.
The information does not include Social Security numbers, which Monster.com said it doesn't collect
Is http://www.usajobs.gov (aka http://www.usajobs.opm.monster.com) affected? Because they collect and require SSNs from Federal job applicants there.
[me@somewhere ~]$ nslookup www.usajobs.gov
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
www.usajobs.gov canonical name = www.usajobs.opm.monster.com.
www.usajobs.opm.monster.com canonical name = www.akadns.monster.com.
Name: www.akadns.monster.com
Address: 63.112.169.1
Name: www.akadns.monster.com
Address: 208.71.197.1
Just checked my saved passwords list and the monster one is a one off.
Backups, one time passwords, they're a pain to do but at times like this I'm glad I only have one password to update!
I stole this Sig
Combined with the fact that they recently switched to a horrible new UI, this made me login to remove my personal details, change my password, and remove my resume. Most people are using craigslist these days anyway. It's cheaper for employers to post jobs there, and it's a better run site in general (clean UI, good security, etc.). I also left my Yahoo resume up, because that site's not too bad, and I know I get a few hits off it.
-- http://ninthagenda.com/
So to anyone who reuses passwords over & over again on different websites, this is a good reminder of the security risk you are taking.
If you may have used that password on other websites, now is a good time to change them.
Just think of the number of people who used the same password for their e-mail account as they used for their monster account.
What's needed is a change in the business model that links payment to a finished, correct product. ISVs working on fixed-price contracts and firmware developers have very low error rates.
The last time I saw that argument made, the final argument ended up being for a cost model based on error-free LOC rather than hourly pay - that is, piecework - although it took a bit of time to get the guy to state it that plainly.
"Programmers" and "software engineers" as gumball machines, as it were.
You owe me $10 (binary, if I'm offshore - which those who want to go to a piecework model inevitably prefer).
Of course, the catch 0x16 is that those who want piecework programming also inevitably want the right to to reject - but keep - the final output. When you take that final output around to enough programmers but reject - that is, don't pay for - their "piecework" contribution, you can end up with some mighty fine software. For free.
Strangely, those people who want to pay on "piecework" terms do not - almost without fail - want to pay for their unending contributions to scope creep and the shifting definition of the "final" product, leaving the software engineer doing in-flight missile design as well as new work.
Go figure.
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
Just another reason why everyone trying to hire new employees should post listings themselves on their social networking profiles!
When big companies screw up *this* much it opens up a lot of opportunity for alternatives.
And you're right--I really need to stop doing it.
Changed the password already.
I've started receiving bogus job offers that involve utilizing my bank account.
There were some big plot holes in your story.
MONSTER KILL!!!
Sent from my desktop computer
... this is an appropriate time for a class-action lawsuit. Such a lawsuit could also entail discovery of the number of people who demanded their data be deleted... and for whom that was not done.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
It's: "fool me once. . . shame on . . . you. . . fool me . . . you can't get fooled again!"
IT.... quite a monstrosity....(sorry, i am the "punster munster")...
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
After I hit the "save" button at the bottom of the 'update user info' page, I then deleted the account.
Hopefully, this allowed me to actually nullify my info in their database when I made my changes and "saved" those changes, before canceling the account.
Granted, it may be too late for this round of Monster data breaches.
But I'll hope that in using this method, they shouldn't have my info in their database for the next round of user info loss that will likely follow.
They seem to invite these problems unto themselves.
Thank goodness that the password I'd used for the site was a one time password that I'd only used at a few other junk sites, and the email address was one I use for spam watching.
( I'd been registered with Monster for years, but had never taken the time to 'upgrade' the email and password on that site to the more trusted ones that I use for proven sites, especially after last years breach there ).
Now, I just have to try to convince the local newspaper to use someone other than Monster for their online job postings.
If it has tires or tits, it will give you problems.
A line of code is the software equivalent of a moving part. A product with a high LOC can be likened to a Rube Goldberg device. Only an idiot would pay on an LOC basis. You want programmers to minimize LOC to utility ratio.
A fixed price for a correct product is as far from LOC piecework as buying a car is from buying the parts individually.
A line of code is not a product. A correct line of code is not a product. At the lowest level, a bunch of code with an unambiguous specification and a thoroughly tested API is a product. If it's provably correct by construction (EWD340, EWD1036), it's a superior product.
As to your last complaint, competent, honest architecture followed by fixed-price development contracts eliminate scope creep.
If the use cases are well-defined, dollars per use case, invoiced after each increment, is a good approach. It has the added advantage that the customer gets something usable with each invoice.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
As to your last complaint, competent, honest architecture followed by fixed-price development contracts eliminate scope creep.
Although I was making an observation drawn from personal experience and not a "complaint", I will not disagree with you.
Unfortunately for Western programmers, once that proposal has been carefully thought out and put together and submitted, said proposal can then be passed to an offshore development firm, which can knock 20% off the price, aim three times as many programmers at it to fullfill its terms, and still reap a 50% profit.
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"