Jobseekers at risk after another Monster breach
Technorati Tag: Security Breach
Date Reported:
1/23/09
Organization:
Monster Worldwide, Inc
Contractor/Consultant/Branch:
Monster's online job seeking communities (Monster.com, Monster.co.uk, etc.)
Location:
New York, New York*
*The Monster Worldwide, Inc. headquarters is located in New York, New York. This incident was an online breach, so physical location is difficult to determine.
Victims:
Job seekers and other customers
Number Affected:
Unknown**
**BBC News reports "Users around the world have been affected, including the 4.5 million users of the UK site."
Types of Data:
"user names, passwords, telephone numbers and e-mail addresses, alongside demographic data, birth dates, gender and ethnicity"
Breach Description:
"Hackers are believed to have stolen the personal details of millions of people using the online job site Monster."
Reference URL:
BBC News
The Times (UK)
Monster.com Security Notice
Report Credit:
Monster Worldwide, Inc.
Response:
From the online sources cited above:
FROM NEWS SOURCES:
Hackers are believed to have stolen the personal details of millions of people using the online job site Monster.
[Evan] Not cool! This does reflect well on Monster's information security effectiveness, does it? According to various sources, this is the third breach (publicly disclosed) involving jobseeker information.
Users around the world have been affected, including the 4.5 million users of the UK site.
[Evan] Monster has not disclosed how many people might be affected worldwide, citing the "need to protect the integrity of our security systems and our ongoing inquiry into this situation". I don't see how disclosing the number of users affected will compromise the investigation or security system integrity. It's not like the bad guys don't know already! Disclosing the number of affected users would certainly end some speculation.
The recruitment giant has advised people to change their passwords and be on the lookout for phishing e-mails.
[Evan] This is especially true if you use the same password for multiple (and potentially more sensitive) accounts. My wife was using the same password for PayPal that she used for Monster.com! Obviously, we put an end to that. Check out the "Commentary" section below for a couple of password tips.
Recruitment sites have proved rich pickings for criminally-minded hackers in the past and it is not the first time Monster has fallen foul of cyber thieves.
In August 2007 Monster.com’s data-base was infected by a virus called infostealer.monstres, which siphoned off more than 1.6 million records, mostly of customers based in the US.
A Russian gang called Phreak was said to be responsible. It was found to be selling “identity harvesting services” to fraudsters, charging £300 for data.
Monster first revealed that its database had been attacked again on 23 January but has remained tight-lipped about the scale of the attack.
"We recently learned our database was illegally accessed and certain contact and account data were taken," said Monster senior vice president Patrick Manzo in a statement.
He went on to admit that hackers had stolen user names, passwords, telephone numbers and e-mail addresses, alongside demographic data, birth dates, gender and ethnicity.
[Evan] This is everything needed for a targeted phishing attack, and then some.
CVs had not been accessed, he said.
The statement warned people to be on the look-out for phishing e-mails built around the details surrendered to Monster.
"Monster will never send an unsolicited e-mail asking you to confirm your username and password, nor will Monster ask you to download any software tool or access agreement in order to use your Monster account," it read.
Graham Cluley, a senior consultant with security firm Sophos, said hackers armed with details from Monster accounts, could target other online information.
"It is surprising just how many people use the same password for a variety of sites. They need to change all passwords that are the same as that for their Monster login," he said.
About four out of ten people use the same password to access multiple websites, Mr Cluley said, meaning that criminals could use the Monster.co.uk data to obtain far more sensitive information. “These hackers could now use the passwords to access e-mail and online bank accounts.”
[Evan] I am surprised that the number is as low as 40%. I would guess that this number is actually much higher. Passwords are a very weak form of authentication.
FROM THE MONSTER SECURITY NOTICE:
As is the case with many companies that maintain large databases of information, Monster is the target of illegal attempts to access and extract information from its database.
[Evan] This may be true, many of these companies are not reporting continued online breaches totaling millions of affected persons.
We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data.
[Evan] We will likely never know, but I am very interested in knowing how this breach occurred technically.
Monster does not generally collect – and the accessed information does not include - sensitive data such as social security numbers or personal financial data.
Immediately upon learning about this, Monster initiated an investigation and took corrective steps.
[Evan] Like what? Hopefully these aren't the same "corrective steps" taken in response to past breaches.
It is important to know the company continually monitors for any illicit use of information in our database, and so far, we have not detected the misuse of this information.
we want to remind you that an email address could be used to target “phishing” emails. Monster will never send an unsolicited email asking you to confirm your username and password, nor will Monster ask you to download any software, “tool” or “access agreement” in order to use your Monster account
The protection of your data is a high priority for Monster.
Our newly redesigned Web site has, and will continue to add, safety and security features to protect your information and we want you to feel confident using it.
[Evan] In order for your users to feel confident, they need to trust you and trust must be earned.
We continue to devote significant resources to ensure Monster has appropriate security controls in place to protect our infrastructure, and while no company can completely prevent unauthorized access to data, Monster believes that by reaching out to job seekers, the company can help users better defend themselves against similar attacks.
Monster has a full-time worldwide security team, which constantly monitors for both suspicious behavior on our site and illicit use of information in our database. To maintain the integrity of these security and monitoring systems, we cannot provide further details.
[Evan] Cop out. I am a practicing information security professional myself, and I often feel comfortable sharing information about the (administrative, technical, and physical) protections I employ in my job. I don't disclose details such as configurations, procedures, personnel, etc., but I fail to see the harm in sharing general practices with other information security professionals. We learn from each other only if we share with each other.
Commentary:
You really have nothing to worry about if ALL of the following are true:
As is true with most breach notifications, I am not at all impressed with this one. Monster has been through this exercise before and I wonder how much time will pass before the next one. I have little doubt that there will be a significant number of phishing victims, recipients with increased spam, and fraud resulting from this breach. There are very few consequences for Monster, aren't there? People who need a job will still go there.
Password tips (as promised, and not all-inclusive):
Multiple
Date Reported:1/23/09
Organization:
Monster Worldwide, Inc
Contractor/Consultant/Branch:
Monster's online job seeking communities (Monster.com, Monster.co.uk, etc.)
Location:
New York, New York*
*The Monster Worldwide, Inc. headquarters is located in New York, New York. This incident was an online breach, so physical location is difficult to determine.
Victims:
Job seekers and other customers
Number Affected:
Unknown**
**BBC News reports "Users around the world have been affected, including the 4.5 million users of the UK site."
Types of Data:
"user names, passwords, telephone numbers and e-mail addresses, alongside demographic data, birth dates, gender and ethnicity"
Breach Description:
"Hackers are believed to have stolen the personal details of millions of people using the online job site Monster."
Reference URL:
BBC News
The Times (UK)
Monster.com Security Notice
Report Credit:
Monster Worldwide, Inc.
Response:
From the online sources cited above:
FROM NEWS SOURCES:
Hackers are believed to have stolen the personal details of millions of people using the online job site Monster.
[Evan] Not cool! This does reflect well on Monster's information security effectiveness, does it? According to various sources, this is the third breach (publicly disclosed) involving jobseeker information.
Users around the world have been affected, including the 4.5 million users of the UK site.
[Evan] Monster has not disclosed how many people might be affected worldwide, citing the "need to protect the integrity of our security systems and our ongoing inquiry into this situation". I don't see how disclosing the number of users affected will compromise the investigation or security system integrity. It's not like the bad guys don't know already! Disclosing the number of affected users would certainly end some speculation.
The recruitment giant has advised people to change their passwords and be on the lookout for phishing e-mails.
[Evan] This is especially true if you use the same password for multiple (and potentially more sensitive) accounts. My wife was using the same password for PayPal that she used for Monster.com! Obviously, we put an end to that. Check out the "Commentary" section below for a couple of password tips.
Recruitment sites have proved rich pickings for criminally-minded hackers in the past and it is not the first time Monster has fallen foul of cyber thieves.
In August 2007 Monster.com’s data-base was infected by a virus called infostealer.monstres, which siphoned off more than 1.6 million records, mostly of customers based in the US.
A Russian gang called Phreak was said to be responsible. It was found to be selling “identity harvesting services” to fraudsters, charging £300 for data.
Monster first revealed that its database had been attacked again on 23 January but has remained tight-lipped about the scale of the attack.
"We recently learned our database was illegally accessed and certain contact and account data were taken," said Monster senior vice president Patrick Manzo in a statement.
He went on to admit that hackers had stolen user names, passwords, telephone numbers and e-mail addresses, alongside demographic data, birth dates, gender and ethnicity.
[Evan] This is everything needed for a targeted phishing attack, and then some.
CVs had not been accessed, he said.
The statement warned people to be on the look-out for phishing e-mails built around the details surrendered to Monster.
"Monster will never send an unsolicited e-mail asking you to confirm your username and password, nor will Monster ask you to download any software tool or access agreement in order to use your Monster account," it read.
Graham Cluley, a senior consultant with security firm Sophos, said hackers armed with details from Monster accounts, could target other online information.
"It is surprising just how many people use the same password for a variety of sites. They need to change all passwords that are the same as that for their Monster login," he said.
About four out of ten people use the same password to access multiple websites, Mr Cluley said, meaning that criminals could use the Monster.co.uk data to obtain far more sensitive information. “These hackers could now use the passwords to access e-mail and online bank accounts.”
[Evan] I am surprised that the number is as low as 40%. I would guess that this number is actually much higher. Passwords are a very weak form of authentication.
FROM THE MONSTER SECURITY NOTICE:
As is the case with many companies that maintain large databases of information, Monster is the target of illegal attempts to access and extract information from its database.
[Evan] This may be true, many of these companies are not reporting continued online breaches totaling millions of affected persons.
We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data.
[Evan] We will likely never know, but I am very interested in knowing how this breach occurred technically.
Monster does not generally collect – and the accessed information does not include - sensitive data such as social security numbers or personal financial data.
Immediately upon learning about this, Monster initiated an investigation and took corrective steps.
[Evan] Like what? Hopefully these aren't the same "corrective steps" taken in response to past breaches.
It is important to know the company continually monitors for any illicit use of information in our database, and so far, we have not detected the misuse of this information.
we want to remind you that an email address could be used to target “phishing” emails. Monster will never send an unsolicited email asking you to confirm your username and password, nor will Monster ask you to download any software, “tool” or “access agreement” in order to use your Monster account
The protection of your data is a high priority for Monster.
Our newly redesigned Web site has, and will continue to add, safety and security features to protect your information and we want you to feel confident using it.
[Evan] In order for your users to feel confident, they need to trust you and trust must be earned.
We continue to devote significant resources to ensure Monster has appropriate security controls in place to protect our infrastructure, and while no company can completely prevent unauthorized access to data, Monster believes that by reaching out to job seekers, the company can help users better defend themselves against similar attacks.
Monster has a full-time worldwide security team, which constantly monitors for both suspicious behavior on our site and illicit use of information in our database. To maintain the integrity of these security and monitoring systems, we cannot provide further details.
[Evan] Cop out. I am a practicing information security professional myself, and I often feel comfortable sharing information about the (administrative, technical, and physical) protections I employ in my job. I don't disclose details such as configurations, procedures, personnel, etc., but I fail to see the harm in sharing general practices with other information security professionals. We learn from each other only if we share with each other.
Commentary:
You really have nothing to worry about if ALL of the following are true:
- You gave no sensitive information given to Monster.
- You are very well-versed in spotting phishing attacks
- Your Monster password is unique among all of your other passwords
As is true with most breach notifications, I am not at all impressed with this one. Monster has been through this exercise before and I wonder how much time will pass before the next one. I have little doubt that there will be a significant number of phishing victims, recipients with increased spam, and fraud resulting from this breach. There are very few consequences for Monster, aren't there? People who need a job will still go there.
Password tips (as promised, and not all-inclusive):
- Use a different password for each login, even if you only change one character.
- Use strong passwords. There are plenty of tips on the internet to help you create a strong password. You can use these general rules; use at least 10 characters (longer is stronger), use upper and lower case letters, use at least one number and special character (preferably in the middle portion of the password), don't use a word in the dictionary (without modification).
- Use a password management program, this way you only have to remember one password (the one used to access the others).
- If you must write down your passwords, write them down on a piece of paper and put it in your wallet.
Multiple
Posts Atom 1.0
Excellent post Evan.
As a member of Monster.com I became very concerned with this latest data breach. Without much thought I decided to remove my account for good as its pretty obvious at this stage (3 data breaches later) that using monster.com comes with such a high risk.
Thankfully the password I was using was not being used for anything else.
Reply to this