Slashdot Mirror
Monster.com Data Stolen, Won't Email Users
chiguy writes "There's been another break-in at Monster.com. It's surprising that there are still unencrypted passwords stored in database despite the previous hack, as is the decision to not email users — presumably so that no one will make a fuss. From PC World: 'Monster.com user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users' states of residence. The information does not include Social Security numbers, which Monster.com said it doesn't collect, or resumes. Monster.com posted the warning about the breach on Friday morning and does not plan to send e-mails to users about the issue, said Nikki Richardson, a Monster.com spokeswoman. The SANS Internet Storm Center also posted a note about the break-in on Friday.'"
They did the mash. They did the monster mash.
When will companies face accountability for the damages they cause due to lax data security?
You don't think they make their money from posting jobs do you?
If only there was some kind of service where you could advertise for a network security guy...
Spammers and phishers already have that data, name+email etc... sounds like a drop in the bucket to me. -rich clearsite.sourceforge.net
I am a nigerian prince who wishes to hire you. I will send you a check for $60,000 to cover your employment of $55,000.
All I ask is that you purchase $5000 in laptops to send back to the parent company here.You can even keep one as your work computer.
As soon as we get the laptops we will send you another check for $100,000 to hire two employees. We only ask the extra $10,000 be sent back to the parent company.
In these economic times people don't seem to care so much about "silly" things like privacy and security when they're scrapping for a job. In a better economy, I think people would be more inclined to make a big fuss. Sad.
--
So who is hotter? Ali or Ali's Sister?
Why the hell is a job search site collecting birth date, gender, and ethnicity information?
Most online applications have the optional equal opportunity information fields. Monster offers a way to auto submit this information. I'm not sure about the DOB, but this additional information is optional on Monster.
--
So who is hotter? Ali or Ali's Sister?
Change your password. The rest of the info is already freely available from the resume you posted to Monster, right?
Maybe the hackers are hiring? (No polygraph or pee tests required.)
Leave the gun, take the cannolis.
... I just got a job offer from the Russian Mob!
I went in to change my password to something over 25 characters, with letters (upper and lower), numbers and specials characters. It kept notifying me that the pass was not strong enough. I reviewed and followed the instructions, then extending it to over 50 characters. I received the same warning message even when clicking on the submit button - wtf?
After several attempts, I tried logging out and logging in with the new pass. Guess what, it did change!
Bad interface, bad notifications, bad programming , bad (or no) testing. No wonder they got had.
I mean really, if you can't design and code a simple change password feature....
This is rediculous now. In 2007 they had the same thing which included PASSWORDS and frame it as business contact info or the same thing included in your business card so don't worry...oh and chance your password because they have that too.
I would be fired if we had a breach of security and I let out the door unencrypted passwords. I mean really you have to assume at this point that data like that will be stolen and some point and have a plan to deal with it.
The unencrypted passwords part just kills me.
Anyone have their compliance offiers email Patrick Manzo ?
If you have a Monster account cancel it and leave a note in the "why are you canceling?" box. Don't make it some rant, but make sure you explain that you will not tolerate their incompetence, their unwillingness to take security of their users personal information seriously, and their total lack of integrity by trying to hide the breech from their users. Then explain that you will try to get everyone you know to cancel their account for their own security. Finding jobs is all about networking...so is taking down misbehaving companies.
The only change I can believe in is what I find in my couch cushions.
You really sure they actually deleted it?
I've had pretty poor results with requests to delete my account information in the past with various online entities. Buy.com, for example, never deletes anything...I am still getting spammed by them to four disabled accounts years after they were supposedly gone.
In Soviet Russia, I ruled you
"No resumes were stolen."
Uh huh. So there's no possibility that the malefactors will log in with the stolen user IDs and passwords and collect resumes from people's accounts?
Dunx
Converting caffeine into code since 1982
So the employe can know the age and gender of their workers? Ethnicity is somewhat less clear but there is valid purposes such as need to know one language or work with people of said ethnicity and so on.
the person that stole the data emailed the users instead:
Monster.com let me steal your personal information, not once but twice, knew about it, and didn't feel like letting you know, so I thought I would instead.
Click this link to send an email to monster.com to let them know what you think about their security and their policy for handling of breaches.
- The Haxors
BONUS! If you click on the javascript form (can't link directly to it) on their main page up top right that says Help and Security, there's two interesting bullet points lower right:
- Protect yourself against online fraud
- Contact us
Those two really shouldn't be so close together on the same page?
I work for the Department of Redundancy Department.
I deleted my account after the first incident, and followed up to make sure. They actually asked me why I wanted to delete it, and I spelled it out very plainly for them. Guess they didn't exactly take it to heart.
If they had to pay a dollar for every byte of data stolen, would that make these goofballs more cautious?
Mutant Freaks of Nature: "Frighteningly Addictive"
So grab their user database and send out the email notifications yourself!
You left out corporate HR and PR spokespersons. Black women only please. Lesbian, if available, for the company looking for a chic, liberal image.
Talk about some "monstrous" bad web security.
Aw Frell this
security notice on the front page. They probably think that email about data breach would feel like phishing, so they will require password resets at next log-in across the board for everyone affected. http://help.monster.com/besafe/jobseeker/index.asp .j.
I'm not terribly surprised. They have a casual approach toward development and quality assurance. In the early days of Monster at TMP Worldwide the QA department consisted of just two people - Fidelity demanded they focus more on QA so they brought me in (Fidelity was and probably still is their single largest account. At the time probably 75% of the jobs were Fidelity postings).
The code running the site was atrocious - and the web server consisted of a single DEC Unix box. They had terrible cross-browser issues (I can't remember if it was Netscape, which was still dominant at the time, or MSIE which completely broke). The developers had no clue what was wrong, so I did some digging and the issue was a lot of table cells and even table rows were never being closed. I logged the defects and was given access to the code (which was Datapult PF at the time - thank god it was not easy-to-write/impossible-to-read perl). I worked with the developers (coders, really) to identify where each type of cell was being generated, and where it should be closed. The code was such that I had to print it on a line printer and trace with pens where each cell was being opened, and there were a lot of cases where the code was not nested properly. It was UGLY. Well, after a few days I had fixed the bugs and it was rendering properly in "all" of the two major browsers, and even AOL.
(as an aside, Datapult PF was kind of neat - very readable and a much better alternative than ASP. I had taken the defect tracking system and enhanced it and wanted to clean up the database schema but there just wasn't time)
Then, by the time they closed the Framingham facility and moved to Maynard, the Fidelity contract had been finalized so they axed most of QA (read: all but one person) and offered me a job as a developer - for $38K, which was just slightly over half of what I was making as a QA engineer. I told them thanks, but no thanks, that $38K is actually quite insulting.
I don't know if they have a proper QA process and department in place, but back when I was there (1997 or 1998) the only people who liked the fact that there even was QA at all was the developers. Management, sales, etc. all hated us, and the parent company (TMP Worldwide) looked at QA as a cost center. They Just Didn't Get It then, and I wouldn't be surprised if they still do not have QA now and Still Don't Get It.
I don't know what they're running for a back end now, but the response headers say IIS 6.0 so I'd presume ASP.net. For .Net and PHP there are plenty of harnesses to test for SQL injection bugs, which If THey Get It, they would be running against the site, but far more likely it's a human issue (someone selling the info, since TMP Worldwide grossly under-pays permanent Monster employees, or at least did at the time) or the Windows server has a root kit on it (if it is in fact IIS 6.0) -- or is the result of an untested bridge to other systems they integrate with. If their modus operandi is still that of TMP Worldwide and they view QA as unnecessary unless a client demands it before awarding a large contract (Fidelity is a company which Does Get It) then I would not be surprised if QA personnel and processes are both totally lacking.
It was a fun contract - don't get me wrong. I liked the people I worked with, and I liked working with the developers to fix the problem, but TMP as a whole just doesn't get it. Monster needs to be run internally like a software company, since it is a large internally-developed software project which is CONSTANTLY being enhanced with more and more features and integrated with other systems (ad servers, etc.). It's not a small project by any means and proper QA from requirements through deployment and maintenance is the only way to minimize liabilities such as this.
As an aside: does anyone out there remember the sleeping monster? The sleeping monster was in place whenever code was being moved from the staging server to the live server, or when the Oracle database would go down. The sleep
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Log in, delete your resumes and cover letters, change your password to some random crap. Then, go to the preferences home page and there is a "cancel my account" option. Leave them a nice note explaining how the deserve to go out of business and where or where could they find a security person with a clue about hashed password storage.
Learning HOW to think is more important than learning WHAT to think.
Actually, they make most of their money through large contracts from companies that post lots of jobs. Fidelity was their first large one, or so I heard before I was asked to come aboard, and was the reason they had ANY QA at all (see below) in the beginning.
TMP worldwide is the parent company of Fidelity and is (or was) one of the largest temp firms in the world. They created Monster so they could find recruits for their own clients - that was fairly well known at the time.
Now I suspect they make the vast majority of their revenue through advertising revenue. Ever go on the site and see all the advertising features? "In your face" hardly begins to describe it.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
at least I'd know who to blame this time when my e-mail is bombarded by penis enlargement advertisements.
Didn't they just do a banner blitz announcing how new and improved they were? Most things never change.
"It's a doughnut stuffed with M&M's. That way when you finish the doughnut, you don't have to eat any M&M's."
The really kicker is the law requires the firm with a data breach to inform several state agencies AS WELL AS the person who's data has been compromised:
"The law requires that a person or agency that owns or licenses personal information about a resident of the commonwealth notify the attorney general, the director of consumer affairs and business regulation, and the affected resident if it "knows or has reason to know of a breach of security"
"Where is my mind?"
Really? To e-commerce types, valid email addresses are like gold dust. Without them, you'll have a tough time launching your next site and getting its popularity built before your competitors do. With them, you can launch that site, spam all your existing customer with a thinly veiled "special offer" (note the "special" part which bypasses all "do not contact me" checkboxes), and you're in business.
This is why I only use randomly generated passwords for these type of sites, and store them in my password safe. They may have gotten my monster password, but they won't be getting into anything else.
--
Luck is just skill you didn't know you had.
I hadn't visited Monster in years, but this story made me go over there and log in and update my profile (after I e-mailed them asking if my account was one of those compromised.) If this was viral marketing to get them more visits, it worked in my case.
"We can categorically state we have not released man-eating badgers into the area." - UK military spokesman, July 2007
er, I meant "Now I suspect they make the vast majority of their revenue on smaller accounts through advertising revenue."
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Wow... I'm guessing that AC hasn't filled out many applications... and I admit that I've only seen rare few applications ask about ethnicity... but otherwise, age, gender... two standards from my experience. Why would a job site care about Birthdate, Gender, and Race? Because EMPLOYERS care about Birthdates, Gender, and Race. Employers would like to know roughly how old their potential new employees will be, they like to know if they will be hiring a girl (for the day shift) or a guy (for the overnight third-shift they have had trouble with locals on).
Ethnicity...hmm..
"I love deadlines. I love the whooshing sound they make as they fly by." -D. Adams
The web browser is a dead end
davecb5620@gmail.com
I am a programmer but by no means a security expert. However, when I store passwords I use an irreversible hash with salt. It's not hard to implement (1 days work). How can any site as big as monster not be doing this? I also used PreparedStatements (in Java) for executing SQL; again it's not hard and prevents injection attacks. I am baffled every time I hear of a site compromised by that type of attack. How can people not be using something like PreparedStatements? (I am especially pissed when a site makes me use one of my good passwords (by requiring numbers and symbols and certain length) them email the password back to me in plain text, or does crappy security like Monster)
Employers would like to know roughly how old their potential new employees will be,
Except under US law, it's illegal to ask an applicant's age. Now I know age can be figured from other sources - dates of school and college graduation, etc. - but I also know the anti-discrimination laws are totally being flaunted by online job sites. Many larger organizations have their own online applications and they claim to be administered by a third party, who will ask the birthdate for the purpose of conducting a background check.
They are breaking the law plain and simple.
== First cross river, then insult alligator.
Totally right on... it's what I just did. MF morons deserve it. I also wrote them a message about not 'fessing up in the first place.
Making a judgment on who to hire/promote/etc based on ethnicity is illegal in the United States, but an employer asking employees to voluntarily provide this information is legal, and in some cases necessary. Companies which win government contracts are required by law to file demographics data yearly. See http://www.eeoc.gov/press/9-12-06.html the EEO-1 requires companies with $50,000 in federal contracts and 50 employees to report to the government ethnicity, race and gender information on its employees.
How about storing it on your own machine in a strongly encrypted file? e.g. PasswordSafe.
Bruce Schneier wrote the original at CounterPane.
While I tend to agree, it's also more likely to happen when people commissioning the software accurately define what "correct" means (in your "correct product" definition above).
creation science book
I deleted my account too, but I was able to do via the Web interface, without involving customer services.
Just tried to cancel my membership. The page doesn't work. Neither with firefox/linux nor with Windoze/Explorer. Pretty sad
WTF are you on about?!?!? TMP has NEVER been the parent company of fidelity and has never had a damn thing to do with anything fidelity does EXCEPT have monster run their careers site.
TMP is the parent company of monster, renaming themselves monster worldwide or something some years back when the dotcom shtf. TMP was the temporary labor division and monster was the online division.
Your facts are fuct for someone claiming to 'be aboard' either fidelity or monster, so much for knowing the background of the company you work for.
Right after the first data breach, I called them up and demanded they delete my account and all of my personal data. The fact that there was not an option to do this online, and that I was forced to call them in person, was the first sign that their data management policies were fscked up.
I was put on hold for a long period of time, and when I finally got a real person on the other end of the line, I told them in no uncertain terms that I wanted my account removed. You want to know what their response was? He went into some spiel asking me why I wanted to leave monster.com. I mentioned their data breach, and he replied that they'd taken measures to ensure it would not happen again, so that it was no longer a reason for me to leave. That is to say, he initially refused my request. I repeated myself, this time, threatening his company with legal action if they did not remove my personal data. I also pointed out that I don't need a reason to request my business relationship with monster.com to be permanently terminated.
And now, a second breach has happened. Big surprise. Whether my information was actually removed, or simply stored in some database, I do not know. That's the problem with these companies. Personal information is the true currency of the online market. The individual user has no leverage, no recourse. The only solution is to never give out that information to begin with.
For all of you who are asking why this sort of data (name, address, phone number) is really all that sensitive in light of the fact that anyone could find such information in phone books and other public records, the fact of the matter is that an electronic database is far easier to harvest than a physical book. Data = content + format. You're also not taking into account the fact that the database of monster.com users is a self-selected group of individuals who at some point were actively seeking a job through online means. That property in itself makes the data a valued segment, which is why (1) monster.com is so unwilling to delete your information, and (2) malicious third parties want to steal it.
I assume users of Monster.com should change their password at that site and anywhere else they may have used the same password. What else can users do? Is a password change sufficient?
-Rich
Re-read my post. TMP Worldwide is the parent company of Monster. Sorry about the typo as I was typing. Read my original post and don't post AC if you really want to dicker over a typo. Excuse me for making a mistake when writing the post. If you had read for context you would have figured out I made a mistake, so whatevever. I know, I know, I've been trolled by an anonymous coward. :-p
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
I found my current job through monstor 5 years ago.
Seems to be mainly juck jobs now (like how to be my own boss and how to make money on ebay.)
Just checked my saved passwords list and the monster one is a one off.
Backups, one time passwords, they're a pain to do but at times like this I'm glad I only have one password to update!
I stole this Sig
I put african american for my race on a resume. I received a phone call, and did a quick interview. At the end of the interview, they were excited for me to come in and meet with them. When they discovered I was white, they said they already had plenty qualified white applicants.
Equal opportunity = legal racism. I wonder if I can have my race legally changed, heck if you can do it with gender...
Modding me -1 troll doesn't make me wrong.
Congratulations. You gave them grounds to not employ you based on the fact that you falsified information on a resume.
I don't disagree with your primary point entirely, but for goodness sake if you think that the result is sufficient evidence to prove discrimination, by all means file a lawsuit.
Telling Slashdot isn't going to help.
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
Combined with the fact that they recently switched to a horrible new UI, this made me login to remove my personal details, change my password, and remove my resume. Most people are using craigslist these days anyway. It's cheaper for employers to post jobs there, and it's a better run site in general (clean UI, good security, etc.). I also left my Yahoo resume up, because that site's not too bad, and I know I get a few hits off it.
-- http://ninthagenda.com/
So to anyone who reuses passwords over & over again on different websites, this is a good reminder of the security risk you are taking.
If you may have used that password on other websites, now is a good time to change them.
Just think of the number of people who used the same password for their e-mail account as they used for their monster account.
You cannot sue for discrimination because you are too young, or too white. Sorry, this is America, and we don't do equal rights.
Everybody stop deleting your accounts! I'm trying to delete mine right now but it won't let me...I'm guessing the servers are melting and I want you to stop until I get mine deleted!
Then move over to Dice and CareerBuilder. I'd assume those were the next targets for anyone to try the same password. Followed shortly by LinkedIn, Plaxo and Facebook.
Learning HOW to think is more important than learning WHAT to think.
Then why don't they file it after the fact that they've hired the qualified persons? They don't need to know that data beforehand.
Random Thoughts From A Diseased Mind (Not For Dummies)
And you're right--I really need to stop doing it.
Changed the password already.
MONSTER KILL!!!
Sent from my desktop computer
... this is an appropriate time for a class-action lawsuit. Such a lawsuit could also entail discovery of the number of people who demanded their data be deleted... and for whom that was not done.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
It's more difficult to connect your mail system back to your database, than it is to simply run a program that mails from your database. Also, having lots of possibly expired email addresses to maintain is a bit of a nightmare, so it's as easy to simply ignore the expired stuff, and hope most are valid.
IT.... quite a monstrosity....(sorry, i am the "punster munster")...
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
After I hit the "save" button at the bottom of the 'update user info' page, I then deleted the account.
Hopefully, this allowed me to actually nullify my info in their database when I made my changes and "saved" those changes, before canceling the account.
Granted, it may be too late for this round of Monster data breaches.
But I'll hope that in using this method, they shouldn't have my info in their database for the next round of user info loss that will likely follow.
They seem to invite these problems unto themselves.
Thank goodness that the password I'd used for the site was a one time password that I'd only used at a few other junk sites, and the email address was one I use for spam watching.
( I'd been registered with Monster for years, but had never taken the time to 'upgrade' the email and password on that site to the more trusted ones that I use for proven sites, especially after last years breach there ).
Now, I just have to try to convince the local newspaper to use someone other than Monster for their online job postings.
If it has tires or tits, it will give you problems.
A line of code is the software equivalent of a moving part. A product with a high LOC can be likened to a Rube Goldberg device. Only an idiot would pay on an LOC basis. You want programmers to minimize LOC to utility ratio.
A fixed price for a correct product is as far from LOC piecework as buying a car is from buying the parts individually.
A line of code is not a product. A correct line of code is not a product. At the lowest level, a bunch of code with an unambiguous specification and a thoroughly tested API is a product. If it's provably correct by construction (EWD340, EWD1036), it's a superior product.
As to your last complaint, competent, honest architecture followed by fixed-price development contracts eliminate scope creep.
If the use cases are well-defined, dollars per use case, invoiced after each increment, is a good approach. It has the added advantage that the customer gets something usable with each invoice.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.