Hackers hit Monster.com's customer data again

— -- The precaution comes after Monster quietly posted an online notice Friday disclosing that its customer databases had been hacked for the second time in six months. Thieves took user IDs, passwords, e-mail addresses, names, phone numbers, birth dates, ethnicity and state of residence for an undisclosed number of job seekers and employers, spokeswoman Nikki Richardson said.

Richardson said a criminal investigation is underway. She declined to confirm or refute a report by The Times of London that 4.5 million British users of Monster had their data stolen. She noted that the thieves did not swipe Social Security numbers, résumés or customer transaction data.

The theft underscores how cybercriminals are intensifying attacks on data storehouses. Last week, Heartland Payment Systems disclosed that hackers broke into the system it uses to process 100 million payment card transactions a month. "Data is king," says Don Leatham, senior director of solutions and strategy at security firm Lumension. "We will continue to see an uptick in targeted attacks in 2009."

Security and privacy experts say millions of Monster's patrons are in a particularly vulnerable state. Typing a stolen user ID and password gives an intruder access to everything available to the member job seeker or employer. Crooks "hoover up" such data, says Avivah Litan, banking security analyst at Gartner. They then correlate it with other information, stolen elsewhere, and use it to hijack bank accounts, break into company systems and do other scams.

A data thief could type in a stolen user ID and password, gain access and then change the password to secure permanent access to the account, says Sam Masiello, vice president of information security at security firm MX Logic. "Considering many users are not always active, this leaves a huge potential for many accounts to be compromised," Masiello says.