Monster.com waited 5 days to disclose data theft

Monster.com waited five days to tell its users about a security breach that resulted in the theft of confidential information from some 1.3 million job seekers, a company executive told Reuters on Thursday.

Hackers broke into the U.S. online recruitment site's password-protected resume library using credentials that Monster Worldwide said were stolen from its clients, in one of the biggest Internet security breaches in recent memory.

They launched the attack using two servers at a Web-hosting company in Ukraine and a group of personal computers that the hackers controlled after infecting them with a malicious software program known as Infostealer.Monstres, said Patrick Manzo, vice president of compliance and fraud prevention for Monster, in a phone interview.

The company first learned of the problem on August 17, when investigators with Internet security company Symantec told Monster it was under attack, Manzo said.

"In terms of figuring out what the issue was, that was a relatively quick process," he said. "The other issue is you want to make sure exactly what you are dealing with."

His security team spent the weekend investigating, located the rogue servers, and got the Web-hosting company to shut them down some time either late in the evening on August 20, or early in the morning of August 21, he said.

Manzo also said that based on Monster's review, the information stolen was limited to names, addresses, phone numbers and e-mail addresses, and no other details including bank account numbers were uploaded.

On August 21, Symantec published a report on its Web site that said it had found copies of scam e-mails that the engineers of the attack were using, with the aim of getting information that was more valuable than just names, addresses and phone numbers of Monster.com users.

Pretending to be sent through Monster.com from job recruiters, the e-mails asked recipients to provide personal financial data including bank account numbers. They also asked users to click on links that could infect their PCs with malicious software.

Their ultimate goal in taking the data from Monster.com was to gain enough personal information to lower the guards of target victims when they read the e-mails, said Patrick Martin, a senior product manager with the Symantec's response team in Austin, Texas, which first identified the attack.

"It gives these spam e-mails just a little bit of credibility," Martin said. "These guys were trying to get financial information from people."

It wasn't until a day after Symantec issued that report on its Web site that Monster began to tell users about the data theft. In a notice posted on Monster.com on Wednesday, the job-search site warned that users might be the target of e-mail scams.

Monster then announced on Thursday that the details of some 1.3 million job seekers had been stolen. Fewer than 5,000 of those 1.3 million users affected are based outside the United States, it said in a statement.

Story Copyright © 2008 Reuters Limited. All rights reserved.

[Kings X Rocks!]

This should be fun...

It'll be interesting to see just how many folks actually buy-into the scam emails and start clicking away...without asking "why would monster want more of my personal info?".

Moral: if you store your stuff online somewhere, you'd better be educated enough in the trappings of security breaches and online scams to protect yourself.

[menty666]

And I'm still waiting on them...

After the story broke I went in, deleted my resumes and sent them a message in no uncertain terms that I wanted them to delete my account, remove my info from their database and email a confirmation when it's done. Still no word, go figure.

Though if they deleted my email address I suppose they couldn't let me know ;)

[Leria]

Overreaction much?

You kinda overreacted with the 'I'll delete my stuff and no one will get it! NYAH!' AFTER the breach has already happened! Really, there was no information that I had to give monster that they could have used to fool me, because I am savvy enough to know that Monster NEVER sends any emails excepts alerts about jobs.

[M A]

Doesn't sound well thought out

I mean, what kind of $$ are you going to be abel to scam from 1.3 million unemployed people?