Job-listing website Monster.com has fallen victim to unknown hackers, who obtained unauthorized access to their database and downloaded account logins, as well as the corresponding personal information. The website warns that the stolen data could be used to launch phishing attacks.
The Monster Network is a popular resource for people from all over the world that seek employment. It also serves as service provider for USAJOBS, the job-listing website of the United States Office of Personnel Management. USAJOBS lists employment opportunities in the federal government.
According to a
security communication published* on Monster's website, the compromised data includes user IDs and passwords, email addresses, names, phone numbers, as well as some demographic data. The resumes of the users have not been accessed during the security breach, the company points out.
“Monster does not generally collect – and the accessed information does not include – sensitive data such as social security numbers or personal financial data,” it is also stressed in the announcement. The company has launched an investigation into the incident and claims that the breach has been contained. Account passwords will be reset and the affected users will need to change them, the Monster network advises.
Patrick Manzo, senior vice president and global chief privacy officer of Monster Worldwide, says that even though there is no evidence that the information has been misused so far, the risk of the data being used to launch phishing attacks exists. “Monster will never send an unsolicited email asking you to confirm your username and password, nor will Monster ask you to download any software, 'tool' or 'access agreement' in order to use your Monster account,” he notes.
The company regrets any inconvenience caused to its customers as a result of this security breach, but claims that “no company can completely prevent unauthorized access to data.” However, data protection is considered a priority and important resources are constantly being directed to the implementation of better security controls, Mr. Manzo explains.
A
security notice was also published on the USAJOBS website. “We would also recommend you proactively change your password yourself as an added precaution. We regret any inconvenience this may cause you […] We continue to devote significant resources to ensure USAJOBS® (Monster) has security controls in place to protect our infrastructure and stakeholder’s information,” writes USAJOBS Program Director, Mary Volz-Peacock.
This is not the first time Monster is attacked by identity thieves. Back in 2007, hackers obtained unauthorized access to 1.3 million resumes stored in the database. Also, later that same year, some of the site's pages were injected with malicious code that was distributing malware to visitors. This security breach might have more serious consequences in addition to potential phishing attempts, as a lot of Internet users still use the same password for multiple online services, including financial ones.
*
The 'January Security Communication' URL listed on Monster's Security Center Web page was actually broken and resulted in a 404 Error when this article was written. The editor of this article had to figure out the proper URL on his own and has notified Monster.com of the issue.
