Hackers hit Monster.com's customer data again

By
Byron Acohido, USA TODAY
January 27, 2009, 11:09 PM ET
2 min read

— -- Monster.com mnst said Tuesday that it will impose a mandatory password change for all North American and Western European users of its popular employment website by the end of this week.

The precaution comes after Monster quietly posted an online notice Friday disclosing that its customer databases had been hacked for the second time in six months. Thieves took user IDs, passwords, e-mail addresses, names, phone numbers, birth dates, ethnicity and state of residence for an undisclosed number of job seekers and employers, spokeswoman Nikki Richardson said.

Richardson said a criminal investigation is underway. She declined to confirm or refute a report by The Times of London that 4.5 million British users of Monster had their data stolen. She noted that the thieves did not swipe Social Security numbers, résumés or customer transaction data.

The theft underscores how cybercriminals are intensifying attacks on data storehouses. Last week, Heartland Payment Systems disclosed that hackers broke into the system it uses to process 100 million payment card transactions a month. "Data is king," says Don Leatham, senior director of solutions and strategy at security firm Lumension. "We will continue to see an uptick in targeted attacks in 2009."

Security and privacy experts say millions of Monster's patrons are in a particularly vulnerable state. Typing a stolen user ID and password gives an intruder access to everything available to the member job seeker or employer. Crooks "hoover up" such data, says Avivah Litan, banking security analyst at Gartner. They then correlate it with other information, stolen elsewhere, and use it to hijack bank accounts, break into company systems and do other scams.

A data thief could type in a stolen user ID and password, gain access and then change the password to secure permanent access to the account, says Sam Masiello, vice president of information security at security firm MX Logic. "Considering many users are not always active, this leaves a huge potential for many accounts to be compromised," Masiello says.

Los Angeles attorney and privacy advocate Mari Frank says Monster users should feel violated. "Here they are, trusting that the information they give up is going only to prospective employers, and now the criminals have it. It's such a betrayal."

Richardson countered that Monster strives to "provide the best practical security we can."