Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
The Internet Security IT

Monster.com Attacked, User Data Stolen 196

Posted by Zonk
from the rarr-snarl dept.
Placid writes "The BBC has an article detailing a successful attack on the US recruitment site, Monster.com. According to the article, 'A computer program was used to access the employers' section of the website using stolen log-in credentials' and that the stolen details were 'uploaded to a remote web server'. Apparently, this remote server 'held over 1.6 million entries with personal information belonging to several hundred thousands of candidates, mainly based in the US, who had posted their resumes to the Monster.com website'. The article also links the break-in to a phishing e-mail sent out recently where personal details were used to entice users to download a 'Monster Job Seeker Tool.'"
This discussion has been archived. No new comments can be posted.

Monster.com Attacked, User Data Stolen

Comments Filter:
  • 4,3,2... (Score:3, Interesting)

    by timmarhy (659436) on Wednesday August 22, 2007 @12:38AM (#20314831)
    i smell a lawsuit
    • by JonTurner (178845) on Wednesday August 22, 2007 @12:41AM (#20314849) Journal
      Wanted:
      New sysadmin. Must have experience in data security. Submit resume to adminjob@monster.com
      • by Harmonious Botch (921977) * on Wednesday August 22, 2007 @01:39AM (#20315155) Homepage Journal
        I did it. Hire me.
      • by high_rolla (1068540) on Wednesday August 22, 2007 @02:10AM (#20315323) Homepage
        Yeah, followed by the new marketing campaign: "Nobody else makes it this easy for your details to reach more employers"
      • by janrinok (846318) on Wednesday August 22, 2007 @02:10AM (#20315325)
        I don't agree. If you RTFA, you will see the the system was penetrated by using valid UIDs and passwords, which had been previously gathered using a phishing attack. Any system is vulnerable to such an attack and you can hardly line all up all sysadmins and have them shot - despite any justification that the odd one might actually deserve it. But I am surprised by the number of techies that fell for the phishing attack in the first instance.
        • by JonTurner (178845) on Wednesday August 22, 2007 @02:50AM (#20315503) Journal
          Upon reflection, I agree with you. It's not the admin's fault -- once it was in the admin's domain, it was already too late. IMO, This breech happened due to a design shortcoming, not a programming error. Let me explain: Any serious company with an internet presence should be asking "When a loss of an external user account/password occurs, what's the maximum damage that can occur? What can we do to minimize the impact?" Frankly, there is no reason at all that one user account (or even dozens) should be able to download 1.6 MILLION (!!) resumes. That's an incredible number!

          I'm shocked to think Monster doesn't have a limit on the # of resumes an account is able to d/l per some time period. (week/month/quarter). I don't know what that number is, but I'm thinking closer to "100" than "1.6 million". And didn't they run some cumulative activity reports once in a while to learn which accounts are the most active? And to what IP's the requests are being served? At the least, you'll know who your biggest customers are (or at least the ones who are taxing your servers) and where the data is going. At best, you'll spot problems like this breech as it is happening at stop it.

          So if someone must be sacrificed, line up the data security officers and a project manager or two. It's their job to be asking these questions and ensure they are compliant.

          Then again, hindsight is 20/20. Maybe the best thing that occurs from all this is we, on the sidelines, learn from their mistakes.
          • Re: (Score:3, Insightful)

            by timmarhy (659436)
            it's called division of power. don't allow any one person the power to perform such a hack, and it raises the bar a lot.
          • by ptudor (22537) *
            Having RTFA, my first comment is "wow, what a great press release from Symantec."

            The sort of anti-spider technology you describe was in place years ago and likely still is; think of the trade value of Monster's data. Now, instead of the traditional overly active account from an identifiable netblock imagine someone using their own zombie network to scrape a single resume/job/data an hour from across a few thousand machines. Wild speculation on my behalf but it's easy to fly under the radar if you try. (Th

          • by ari wins (1016630) on Wednesday August 22, 2007 @08:52AM (#20317657)
            Maybe the best thing that occurs from all this is we, on the sidelines, learn from their mistakes.

            I'd love to, but then I'd actually have to RTFA, and I don't have time today. I have to get a copy of my birth certificate and a visa, so I can help out my new Nigerian friend with a lucrative situation.
        • by plague3106 (71849)

          But I am surprised by the number of techies that fell for the phishing attack in the first instance.


          It sounds like it was done via employer accounts, which I would typically think falls to the HR department in a company.
        • But I am surprised by the number of techies that fell for the phishing attack in the first instance.

          Was it the techies or the hiring managers, though?

          It seems like the average HR department at a software firm with a C# vacancy would rather hire some guy a couple of years out of college with a bit of C# experience and a MCSD certificate than an experienced pro with a track record of shipping working software using half a dozen different languages including Java and C++. The same sort of firm probably wouldn't hire an DBA with a decade of experience using Oracle, SQL Server, PostgreSQL, Perl and Python

  • by Nibbler999 (1101055) <tom_atkinson&fsfe,org> on Wednesday August 22, 2007 @12:43AM (#20314857) Homepage
    I like the BBC headline better.
  • by grahamux (539822) on Wednesday August 22, 2007 @12:44AM (#20314861)
    You know, every time I get an email telling me my Bank of America account is going to be frozen, and should go to http://myaccounts-bankofamerica.net/ [myaccounts...merica.net] I always ask myself "Who actually falls for this stuff?". Now, I know. The people I look to for jobs. /cheer
    • by Farmer Tim (530755) <roundfile@NospaM.mindless.com> on Wednesday August 22, 2007 @12:57AM (#20314941) Journal
      What, you needed more evidence that your (potential) boss is an idiot?
    • Re:Phishing Attack (Score:5, Insightful)

      by timmarhy (659436) on Wednesday August 22, 2007 @02:03AM (#20315285)
      It seems to be a universal fact that to be in HR you need to always have an IQ lower then the people you are interviewing. It certainly has been in every company i've worked at.

      remember, these are the type of people who were putting "5 years experience required in windows 2003 admin" in 2005.

      • by jombeewoof (1107009) on Wednesday August 22, 2007 @02:23AM (#20315383) Homepage

        It seems to be a universal fact that to be in HR you need to always have an IQ lower then the people you are interviewing. It certainly has been in every company i've worked at.


        remember, these are the type of people who were putting "5 years experience required in windows 2003 admin" in 2005.

        I have the official HR handbook. The basic rule is "You can be NO smarterer than the chair you sit in"
      • Re:Phishing Attack (Score:4, Interesting)

        by RESPAWN (153636) <caldwell@@@tulanealumni...net> on Wednesday August 22, 2007 @09:39AM (#20318245) Homepage Journal
        I've literally had a recruiter forward me a resume one time for a candidate who didn't even know what company he was interviewing for. I've been forwarded resumes that looked like they were typed by a 5 year old. I've been sent resumes for candidates who have no technical experience at all. Period. I look at HR as nothing but a block to the actual hiring process. I'd rather they let me go to Monster.com and look at resumes than have somebody without technical skills do it for me.

        That said, I did have one IT outsourcing company that found my resume on Monster.com and when they called me, they wanted a social security number as part of their pre-interview screening process. When I refused, they claimed that it was necessary to save time by performing a background check before they potentially wasted their time on a candidate who wasn't able to pass a background check. I basically told them that they were idiots and that if they were legitimate, the only candidates they'd get with that policy are also idiots who had no business maintaining computer systems. Especially if the systems are considered sensitive enough to warrant a background check. The best part was that they had the gall to call me back and try to get my social one more time after that conversation.
    • Re:Phishing Attack (Score:5, Insightful)

      by arivanov (12034) on Wednesday August 22, 2007 @02:48AM (#20315493) Homepage
      Err... You are missing the point.

      Monster.com was broken in for spearphishing, not for sending bulk emails regarding "Bank of America". Spearphishing as a term is used to describe a phishing set up which is designed to hit a victim specifically by using a victim specific ruse based on knowledge of personal data.

      Recruitment agencies are actually a prime target for such attacks:

      1. Nearly all of them (even the specialised unix oriented ones) require all CVs in Microshit Word so pushing a custom Trojan is trivial.
      2. Nearly all of them systematically violate the Data Protection act and other similar statutes which require them to remove customer data from their databases when no longer needed. So far in the UK only 3% of the ones I have asked to remove my details have complied with the request. Amidst the most vile violators are the two biggest MOD oriented agencies and more than 50% of the top 20 (by job posting numbers).
      3. In addition to that apparently at least one UK (and international) jobboard also does not remove customer data even if you delete your accounts from there. As a result the agencies are re-fed your details on a regular basis.
      4. The agencies possess enough data for a perfect spearphish: date of birth, nationality, postal address, occupation, prior job history, current and past salaries as well as further background. In some cases where they have been subcontracted to do HR they possess even more data like NSNs/SSNs, credit ratings and the like.

      Frankly this is an industry that is in desperate need to be smacked with some vile regulation compared to which SOX and the recent health IT regs in the US are a child's play. They need to be straightened out and made to follow the laws of the land with regard to customer privacy. At the moment they are systematically ignoring them and in many cases they possess more of your personal information than your bank.

      So let's hope that the Monster case will cause some moves towards that.
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Spearphishing as a term is used to describe a phishing set up which is designed to hit a victim specifically by using a victim specific ruse based on knowledge of personal data.
        And this month's award for the shittiest neologism goes to...
      • by sholden (12227)
        If companies are ignoring existing laws, why would new laws have any affect at all?

        Why not, stay with me on this it's complicated, enforce the existing laws.
        • by growse (928427)

          It's all about risk. People speed because the chance of being caught combined with the penalty is such that they feel it's a risk they'll take. If you create new laws that enable capital punishment for speeding, people won't speed. You won't have to police or enforce it any more, it'll just happen.

          That's pretty much what SOX did. If the company makes it's numbers up, the CEO and/or CFO go to jail. That's a pretty big jump from the punishments had before. Therefore, companies are less inclined to take that

    • Re: (Score:3, Funny)

      by kalirion (728907)
      How can I unfreeze the account if your link is broken? Ah well, could you please unfreeze it for me? My BOA username/password is kalirion/password123. Thanks a ton!
  • now hundreds of millions will be able to see my resume, instead of the usual tens of millions!
    • by Dekortage (697532)

      That's what I was thinking... like, aren't MORE people seeing those resumes now? Isn't that a GOOD thing?

      Of course, it's really a problem for identity theft, since there are many details of a persons' life on their resume. In fact you could call them up and make yourself sound like you knew them: "Hey, this is Jamie over at First Bank of Goobersville... yeah, remember when we worked together before you left for Retail Mega-Schmaltz?" I've even seen resumes where people put down the names of their pets -

      • by kalirion (728907)
        And then they start blackmailing you - "Hey, I've got your active resume here, wouldn't want it to show up in your supervisor's inbox now, would we?" Or better yet, what about all the people who use the same username/password combinations on all online sites?
    • Unfortunately you'll only get job offers from the Russian mafia and Rumanian criminal hackers.

      "You better start commenting your code and indenting or you might have an 'accident'."
  • Hehe (Score:5, Funny)

    by JimboFBX (1097277) on Wednesday August 22, 2007 @12:47AM (#20314885)

    Last year, a British nurse was blackmailed by hackers who had used a Trojan to access her personal e-mails.
    I'll let you guys stew on how ambiguiously funny that sentence is.
  • by indraneil (1011639) on Wednesday August 22, 2007 @12:51AM (#20314895)
    Symantec's explanation [symantec.com]
    The trojan (Called Infostealer.Monstres) seems to be using HR login details (possibly stolen) to access hiring.monster.com and recruiter.monster.com sub-domains and download candidate information. It also seems to be similar to a previously known trojan called Trojan.Gpcoder.E [slashdot.org]
    Symantec estimates that 1.6 million people (mostly from USA) have been impacted.
    They have informed Monster about it
    • by bughunter (10093)

      They have informed Monster about it

      Somehow I'm not convinced Monster is going to be concerned enough to take action, at least not until it threatens to cost them significant money.

      I've been job searching recently, and Monster is the worst when it comes to privacy and security. First, when creating an online "resume" on Monster, between every "real" page, there's an ad page that looks like a Monster form to fill out, but it's actually a phishing page, an advertisement posing as a form that's asking for

  • hmmm (Score:4, Insightful)

    by wizardforce (1005805) on Wednesday August 22, 2007 @12:52AM (#20314899) Journal
    so Monster had no way of preventing some set of IP addresses from downloading over a million entries? does that sort of thing happen alot and they didn't think it was unusual or what? it would just seem to me that if there were alot of servers downloading an unusual amount of entries that there should be some way to prevent that...
  • by Anonymous Coward on Wednesday August 22, 2007 @01:06AM (#20314993)
    Monster and Dice are just meat markets. Relatively few people actually get jobs there, at least in IT. The real way you get a job is to know someone and have a good network of people. That's how I got my job, Monster and Dice never helped me. They're more like "cattle calls" for movie parts. Who knows, maybe Monster and Dice sell the email address lists to spammers...for the right price?

    Speaking of spammers, this [mailto] is for you spambot email harvesters.
    • Re: (Score:3, Insightful)

      by bakana (918482)
      Yes, who you know is important. But, if I know someone that works a cool place and a job isn't avialable, where do I look? Your friend isn't going to create a job for you, he can tell you when a job will open up. I highly doubt he can talk his upper managment into thinking a 3rd sysadmin would be needed. A lot of people get jobs because of who they know, for the rest of use who don't rub elbows with the Donald Trumps of IT, we get our jobs the old fashioned way. You either get recruited out of college,
      • Re: (Score:2, Interesting)

        by Anonymous Coward
        I sure didn't rub my elbows with the "Donald Trump" of IT at my place of work. I just knew someone who recommended me, and I was able to take it from there with my ability. I probably wouldn't have this job but for that person (I wouldn't have even known about the opening).

        Unfortunately, Monster and Dice are indeed "cattle calls." More than once I've caught a Monster or Dice recruiter using my resume to try to land a government contract. Then, once getting said contract, that same recruiter fills that s
    • by uptownguy (215934) <UptownGuyEmail@gmail.com> on Wednesday August 22, 2007 @01:37AM (#20315145)
      Monster and Dice are just meat markets. Relatively few people actually get jobs there

      Craigslist all the way. I am operations manager for a small IT firm and we've hired our last ten people from Craigslist. The response rate is fantastic. In most major markets, posting an ad is still free (for now). I keep getting calls from a rep. at Monster every three to six months asking me to pay $300-$400 PER LISTING at Monster. I let them know that I am perfectly happy with the quality, quantity and cost of Craigslist. There's a long pause and then they say maybe they'll give me a call in three to six months to check up on me. It's a little silly and arrogant to think that everyone will be able to get a job through personal connections. But Monster and Dice are so 1999. Craigslist is where the real action is.

      Hint to other employers out there: I've found that the quality of candidates who respond to postings is directly proportional to the quality of the ad that you post. Put some thought into what you write. (Note: The same holds true for Slashdot.)
      • Re: (Score:3, Interesting)

        by Anonymous Coward
        Craigslist is horrible! If I wanted to be scammed, or give details to someone so they can possibly try identity theft hijinks, or just know where I live so they can kick down my door for a home invasion robbery, I'd use them.

        I have had zero luck with Craigslist even for buying and selling. When selling, people demand that I accept their temporary checks, and won't pay otherwise, so I tell them to find another victim. When buying, I ask for some proof the item wasn't stolen, or at least show me that the i
        • Re: (Score:3, Insightful)

          by crabpeople (720852)
          Do you work for a newspapers classified section or something? Ive done literally hundreds of craigslist deals and the worst you get is flakey people who hum and haw wasting time, or ask stupid questions. Cheque scams? Ive never had anyone even offer to pay with anything but cash...

          The majority of items in my apt were purchased off of craigslist. Not to mention my car, my current job and the apt iteself.

        • by HungWeiLo (250320)
          I'll be another data point for your "research":

          - Sold 2 of my cars in the last couple years at the posted price - both within 2 hours of posting.
          - Got my job there. Very happy.
          - Got all my wedding vendors there. Very happy for the most part.
          - Run my ads for my side business exclusively on CL. Get more business than I can handle.
        • by Shadukar (102027)
          "or just know where I live so they can kick down my door for a home invasion robbery"

          Not to imply that you are stupid, but are you aware that people can kick down YOUR door for a home invasion robbery without you telling them where you live?

          Additionally, are you aware that there are quite a few doors/houses as well as quite a few "home invasion robberies" without the involvement of craigslist ? I dare venture, and feel free to call my bluff, but I would say that majority of "home invasion robberies" take pl
      • by penguin_dance (536599) on Wednesday August 22, 2007 @05:20AM (#20316067)

        Craigslist...right.... Lots of ads, like the following:

        WEB DEVELOPER needed for growing company, must be prorficient [sic] in PHP, ASP, ASP.NET, C++, Java and XHTML. Students welcome. $10 hr.

        Oh, and here's a title from an actual ad now running (you can't make this stuff up):
        Big Dog Web Developers Needed for a Big Back End

        I don't even want to know.

      • by RESPAWN (153636)
        I think that's true to a point. Being able to get good candidates off of CL depends, at least partially, on how active CL is in your market. Granted, market size probably also factors in here, but let's compare my market to, say, Houston. Yesterday, there were 14 system/network admin jobs posted on CL for Houston. Here, there were 14 jobs posted in a over a month. The last job posting here was on Sunday, and in the past month the most active day was Jul 19 with 3 total posts.

        That said, I was hired via
    • by baadger (764884)
      So what you're really saying is Monster.com is the equivalent of all those useless download sites for awarded software [slashdot.org] ...but for jobs. I think that analogy fits.
    • I really can't comment on IT, but when I put my resume up on Monster for the energy field, I had to turn down several jobs in the mid to high five-figure range. (The one I ended up taking is high five to low six, but it involves 60+ hr workweeks and 95% of my time on the road. Not bad for a single guy with no college degree.). I guess it's all a matter of what's hot and what's not.
    • I've been out of college 3 years and have had two jobs. One was for a major hedge fund ($13 billion) and the current one is for a large software company. Both of them are/was awesome jobs and I was contacted by recruits via Monster.com. I know for a fact that at both companies Monster.com is used heavily and to some extend LinkedIn. We get tons of resumes but a lot of candidates simply do not cut it. A programmer with a MS in Comp. Sci. but has never dealt with multi-threading is hard to believe but th
  • cue sound: (Score:5, Funny)

    by doyoulikeworms (1094003) on Wednesday August 22, 2007 @01:22AM (#20315077)
    M-M-M-Monster Kill (...kill...kill...kill...kill...)
  • by Chris Pimlott (16212) on Wednesday August 22, 2007 @01:28AM (#20315103)
    What a nightmare, I'm already being flooded by dozens of job offers for adult websites development...
    • by Wee (17189)
      Heh, heh. I thought the same thing. Monster emails are almost entirely spam anyways. I mean, they may have been relevant a few years ago (that's being charitable) but I've never had anything but crap from them.

      Nice bonus is trying to find a link on their website where you can contact a real human. Or contact anyone. They seem to assume that anyone who wishes to contact them is either a job seeker or job poster. I don't think this is an oversight. I do think the staff at monster.com don't want to

      • Re: (Score:3, Interesting)

        by drewzhrodague (606182)
        I thought the same thing. Monster emails are almost entirely spam anyways. I mean, they may have been relevant a few years ago (that's being charitable) but I've never had anything but crap from them.

        Seconded. Monster is an advertising vehicle, not a job board -- not anymore, at least. I've been trolling Monster for about 7 years now, and while I have had many many interviews, I have received about 10,000 spam messages from recruiters from all over the world. I do UNIX systems administration.

        Here's a f
  • So to summarize... (Score:3, Interesting)

    by saikou (211301) on Wednesday August 22, 2007 @01:32AM (#20315125) Homepage
    While the fact that employer's Monster account(s) were stolen/cracked/pilfered is sad, the article says that trojan was essentially storing search results.
    That information is available anyways, as people with resumes in open access do want to be contacted so they publish the email/phone/name etc and anyone with a screen scraper can amass this pile of "personal data". There is no indication that job seeker's database was stolen.

    As for phishers I had a run in with one company claiming to "hire for Google" and demanding my SSN so they could "put my data into candidate database at Google, that absolutely demands SSN as unique ID".
    That was several months ago.
  • by Meneth (872868) on Wednesday August 22, 2007 @01:46AM (#20315195)
    Seriously, if even Slashdot can't use the word properly, how can we ever expect the MAFIAA to learn?
  • by grasshoppa (657393) <skennedy.tpno-co@org> on Wednesday August 22, 2007 @01:50AM (#20315213) Homepage
    Seeking networking security professional for immediate vacancy.
  • by FrostedWheat (172733) on Wednesday August 22, 2007 @01:53AM (#20315231)

    This story has the best headline I've seen on the BBC in a long time:

    Monster attack steals user data

    Ruh-roh! Someone call the Scooby Gang!

  • This could be used in job scams. be wary of job offers coming in from monster. always get a phone number from the phone book and ring them back to verify.
  • It could have been done over weeks or months, some time ago. This story doesn't say. I have had no notice from Monster about the breach in security, yet. Good thing I'm already in the middle of a round of interviews with a great company this week, for which I submitted a resume directly. I look forward to being able to delete my resumes and other information from Monster very soon.
    • by Cheeze (12756)
      and you really, really hope that when you press delete, monster actually removes it from their database.

  • by MoreCoffee (1146049) on Wednesday August 22, 2007 @04:41AM (#20315919)
    The Dutch bank was attacked by the 'man in the browser' type of trojan, which cached the output from the challenge-response between user- and bank. This bank by default performs two challenge-response sequences;
    1) when loggin in
    2) when confirming a transaction
    A third, is performed when transferring large amaounts of money.

    Appearently, the trojan told the customer the first attempt had failed, (while in the background preparing a transaction, which could be verified by the bank, because the client was so kind to re-autenticate (this time to the transaction challenge, while they were still thinking it was the login challenge)

    Here's the story (in Dutch, hurrah)
    http://tweakers.net/nieuws/48895/Virus-ontfutselt- geld-van-klanten-ABN-Amro-update.html [tweakers.net]

    /steven
  • by shadowspar (59136) on Wednesday August 22, 2007 @06:00AM (#20316245) Homepage

    Nothing. Absolutely nothing.

    The story's all over the media and the internet, Symantec has a blog post [symantec.com] and a virus writeup [symantec.com], and what's on the front page of Monster? Not a damn thing. No "your personal info may have been stolen", "hey, yeah, that data breach thing, we're looking into it", no acknowledgement of any kind. Their press page [monsterworldwide.com] contains bulletins about the Monster Employment Index and their top ten workplace etiquette tips. Looks like we're going to see another good example of how not to handle negative press related to a security issue.

  • Everyone knows that. I never met a single person ever who ever got a job through monster. Or even got a callback. I doubt 1% of the listings on Monster are real.
    • I've been using Monster.com since it was a gopher site called "occ". These days, I keep a resume on that site as a matter of course (which needs to be updated).

      Besides job hunting, it's also an excellent tool for getting a feel for what the market is like in a given industry center. Today, for example, I'm pretty happy with my present gig, but I still keep a resume on Monster.
  • by N8F8 (4562)
    I'm betting this stuff is espionage to get private data on Americans. At work we have been inundated with "greeting card" phishing over the last six months. The retards running our IT department seem helpless to stop it. I tried whining about it and got blown off. We're talking a top defense contractor here.
  • by Wolfger (96957)
    That's one way to get my resume out there!
  • by Harlockjds (463986) on Wednesday August 22, 2007 @07:36AM (#20316845)
    Didn't Monster just fire a lot of people? I'm guessing they let someone go who has access rights that weren't revoked (or happened to know someone login info who wasn't fired) and that person decided to 'get back'.
  • Why did we hear about this on the news? Why didn't Monster notify the users first?
  • I thought this was just another one of those pecker enlargement scams.
  • What are people worried about?

    They stole resumes!

    I highly doubt there is any real, non-falsified personal information in any of those! Not if any of the resume's I've ever seen have been any indication.

You see but you do not observe. Sir Arthur Conan Doyle, in "The Memoirs of Sherlock Holmes"

Working...