Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Monster.com Data Stolen, Won't Email Users

Soulskill posted more than 5 years ago | from the security-specialist-wanted,-apply-within dept.

Security 200

chiguy writes "There's been another break-in at Monster.com. It's surprising that there are still unencrypted passwords stored in database despite the previous hack, as is the decision to not email users — presumably so that no one will make a fuss. From PC World: 'Monster.com user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users' states of residence. The information does not include Social Security numbers, which Monster.com said it doesn't collect, or resumes. Monster.com posted the warning about the breach on Friday morning and does not plan to send e-mails to users about the issue, said Nikki Richardson, a Monster.com spokeswoman. The SANS Internet Storm Center also posted a note about the break-in on Friday.'"

cancel ×

200 comments

Sorry! There are no comments related to the filter you selected.

And the users complained... (3, Funny)

Anonymous Coward | more than 5 years ago | (#26597763)

They did the mash. They did the monster mash.

Re:And the users complained... (2, Funny)

Anonymous Coward | more than 5 years ago | (#26598951)

Was it a graveyard smash?

um (0, Flamebait)

Anonymous Coward | more than 5 years ago | (#26597781)

Why the hell is a job search site collecting birth date, gender, and ethnicity information?

Re:um (5, Insightful)

htnmmo (1454573) | more than 5 years ago | (#26597795)

You don't think they make their money from posting jobs do you?

Re:um (0)

Anonymous Coward | more than 5 years ago | (#26598279)

Have you ever used Monster to actually hire someone?
They wanted two months salary for posting three positions for 3 months when I last used them.

Re:um (3, Informative)

kimvette (919543) | more than 5 years ago | (#26598515)

Actually, they make most of their money through large contracts from companies that post lots of jobs. Fidelity was their first large one, or so I heard before I was asked to come aboard, and was the reason they had ANY QA at all (see below) in the beginning.

TMP worldwide is the parent company of Fidelity and is (or was) one of the largest temp firms in the world. They created Monster so they could find recruits for their own clients - that was fairly well known at the time.

Now I suspect they make the vast majority of their revenue through advertising revenue. Ever go on the site and see all the advertising features? "In your face" hardly begins to describe it.

Re:um (1)

kimvette (919543) | more than 5 years ago | (#26598715)

er, I meant "Now I suspect they make the vast majority of their revenue on smaller accounts through advertising revenue."

Re:um (2, Informative)

Gates82 (706573) | more than 5 years ago | (#26597943)

Why the hell is a job search site collecting birth date, gender, and ethnicity information?

Most online applications have the optional equal opportunity information fields. Monster offers a way to auto submit this information. I'm not sure about the DOB, but this additional information is optional on Monster.

--
So who is hotter? Ali or Ali's Sister?

Re:um (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26597963)

So they don't match black applicants up with jobs that specified 'no niggers please'. or match women up with anything except cleaning and looking after babies. or match old people up with anything except 'amusingly grumpy old janitor wanted'

Re:um (1, Funny)

Anonymous Coward | more than 5 years ago | (#26598283)

You left out corporate HR and PR spokespersons. Black women only please. Lesbian, if available, for the company looking for a chic, liberal image.

Re:um (0, Redundant)

CarpetShark (865376) | more than 5 years ago | (#26598011)

Because it helps with marketing of the site. Data needed for a webapp is usually a subset of data actually collected by the sites/companies running that webapp. Not much hope of changing that, but it could at least be secured better.

Re:um (1)

aliquis (678370) | more than 5 years ago | (#26598145)

So the employe can know the age and gender of their workers? Ethnicity is somewhat less clear but there is valid purposes such as need to know one language or work with people of said ethnicity and so on.

Re:um (3, Informative)

AnthropomorphicRobot (1460839) | more than 5 years ago | (#26599371)

Making a judgment on who to hire/promote/etc based on ethnicity is illegal in the United States, but an employer asking employees to voluntarily provide this information is legal, and in some cases necessary. Companies which win government contracts are required by law to file demographics data yearly. See http://www.eeoc.gov/press/9-12-06.html [eeoc.gov] the EEO-1 requires companies with $50,000 in federal contracts and 50 employees to report to the government ethnicity, race and gender information on its employees.

Re:um (1)

phulegart (997083) | more than 5 years ago | (#26598799)

Wow... I'm guessing that AC hasn't filled out many applications... and I admit that I've only seen rare few applications ask about ethnicity... but otherwise, age, gender... two standards from my experience. Why would a job site care about Birthdate, Gender, and Race? Because EMPLOYERS care about Birthdates, Gender, and Race. Employers would like to know roughly how old their potential new employees will be, they like to know if they will be hiring a girl (for the day shift) or a guy (for the overnight third-shift they have had trouble with locals on).

Ethnicity...hmm..

Re:um (2, Informative)

SkyDude (919251) | more than 5 years ago | (#26599075)

Employers would like to know roughly how old their potential new employees will be,

Except under US law, it's illegal to ask an applicant's age. Now I know age can be figured from other sources - dates of school and college graduation, etc. - but I also know the anti-discrimination laws are totally being flaunted by online job sites. Many larger organizations have their own online applications and they claim to be administered by a third party, who will ask the birthdate for the purpose of conducting a background check.

They are breaking the law plain and simple.

Accountability (4, Insightful)

Zironic (1112127) | more than 5 years ago | (#26597789)

When will companies face accountability for the damages they cause due to lax data security?

Re:Accountability (2, Insightful)

homer_s (799572) | more than 5 years ago | (#26598083)

What do you consider to be "private data"? I was on a call with a customer last week who wanted a simple refer-a-friend type app. - they consider first-name and last-name to be private info and want to know about encryption, firewall policies, etc.

As a client, they certainly have the right to ask us to do all kinds of encryption (as long as they pay for it). But it is absurd what people consider to "private data" now.
All this will do is make other data like SSNs - treat some publicly known data as an authentication and authorization token and cause all kinds of problems for people.

Re:Accountability (4, Informative)

Zironic (1112127) | more than 5 years ago | (#26598253)

In Sweden it's defined as any combination of data that can individually identify a person.

Re:Accountability (0)

Anonymous Coward | more than 5 years ago | (#26598323)

Which is pretty much the best definition you can have.

Re:Accountability (1)

homer_s (799572) | more than 5 years ago | (#26598601)

Are phone directories (firstname, lastname, phonenumber) legal in Sweden?

Re:Accountability (2, Informative)

Zironic (1112127) | more than 5 years ago | (#26598701)

yes, but afaik they're opt-in usually as a part of your telephone subscription.

Re:Accountability (1)

gillbates (106458) | more than 5 years ago | (#26598449)

When programmers are expected to get it right the first time, just like engineers.

I kind of hate to the harbinger of bad news, but ever since Microsoft managed to convince people that software defects were a *normal* part of computer operation, the chances of holding companies accountable for bugs, security breaches, etc... have gotten vanishingly small.

Re:Accountability (4, Interesting)

thethibs (882667) | more than 5 years ago | (#26598741)

Actually, it was IBM and CS academics that did that. OS360 was released with a long error list and assurance that this was normal for a product of that size. It was this era that produced factors like one error per so many LOC, where "so many" ranged from ten to a thousand depending on the source.

This was long before Microsoft existed and it didn't need much pushing. It was so self-serving that the software industry never argued against it. It also came just in time to meet a huge increase in demand for programmers that could only be met by lowering the bar for entry--so for most of the new crop of programmers, the predictions were accurate.

The sad idea of calling programmers "software engineers" in the hope that a new name would make them more diligent has clearly not worked. Since most are paid by the hour without reference to quality or results, it's unlikely that anything will ever work in this environment.

What's needed is a change in the business model that links payment to a finished, correct product. ISVs working on fixed-price contracts and firmware developers have very low error rates.

Define 'correct' (1)

mgkimsal2 (200677) | more than 5 years ago | (#26599495)

While I tend to agree, it's also more likely to happen when people commissioning the software accurately define what "correct" means (in your "correct product" definition above).

Re:Accountability (1)

PDG (100516) | more than 5 years ago | (#26598689)

The law is already on the books in Massachusetts. Check out my comment below.

I don't monster.com (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26597803)

But here's my story.

A while ago, library [goatse.fr] bathroom, you know the rest.

Why keep the data (0)

Anonymous Coward | more than 5 years ago | (#26597807)

I wonder why monster.com holds on to their data (especially e-mail addresses) for so long.
At work, I see incoming mails from monster for employees that have left the company 5-10 years ago.
They should understand that someone looking for a job might actually find it, and his e-mail address could possibly change. After having received 550 replies on mails sent to members a couple of times, they should just delete the record (or at least the apparently invalid mail address).
Instead, they just go on trying...

Re:Why keep the data (2, Insightful)

CarpetShark (865376) | more than 5 years ago | (#26598661)

I wonder why monster.com holds on to their data (especially e-mail addresses) for so long.

Really? To e-commerce types, valid email addresses are like gold dust. Without them, you'll have a tough time launching your next site and getting its popularity built before your competitors do. With them, you can launch that site, spam all your existing customer with a thinly veiled "special offer" (note the "special" part which bypasses all "do not contact me" checkboxes), and you're in business.

If only there was somewhere... (5, Funny)

Anonymous Coward | more than 5 years ago | (#26597823)

If only there was some kind of service where you could advertise for a network security guy...

Big deal... (1)

richrumble (988398) | more than 5 years ago | (#26597841)

Spammers and phishers already have that data, name+email etc... sounds like a drop in the bucket to me. -rich clearsite.sourceforge.net

Re:Accountability (0)

Zerelli (579376) | more than 5 years ago | (#26597849)

Accountability will not happen until Data Security becomes easy enough to understand by the people who run things. Many companies think they are doing things the right way because the decision makers are not properly schooled in best practices or vulnberabilities. Do you really want the government to get involved in this? Does anyone think there is a government agency capable of the oversight necessary to decide when the hackers were just too smart? If you punish companies for data loss, that is akin to fining people for getting their house burgled. Hackers will always be one step ahead, especially with no good method of securing data assets for a cost that will allow businesses that are struggling already with a lousy economy to be protected. Ultimately there needs to be a task force of actual IT professionals who set standards for securing data and pursue cyber-criminals and malicious hackers. Keep it out of the hands of any existing agency because there is not one that has this sort of proficiency. Creation of a new agency would create a small boost to the IT sector as people would regulated into complying with some sort of standard. Just dumping fines on someone for gettting hacked is not a good business decision. It would be like giving billions to companies that had already shown they were not capable of sustaining a profit...

Re:Accountability (2, Interesting)

LordNimon (85072) | more than 5 years ago | (#26598807)

If you punish companies for data loss, that is akin to fining people for getting their house burgled.

Your analogy is completely flawed. If someone gave me an item to hold onto for him, and it was stolen when my house was burgled, then yes, I would be (partially) responsible. This would be especially true if I didn't take reasonable steps to protect my home.

If monster.com only had their information stolen, then we'd all just laugh at them and move on. But instead, through incompetence and laziness, they allowed our information to be stolen.

Greetings Monster.com user! (5, Funny)

assemblerex (1275164) | more than 5 years ago | (#26597859)

I am a nigerian prince who wishes to hire you. I will send you a check for $60,000 to cover your employment of $55,000.
All I ask is that you purchase $5000 in laptops to send back to the parent company here.You can even keep one as your work computer.
As soon as we get the laptops we will send you another check for $100,000 to hire two employees. We only ask the extra $10,000 be sent back to the parent company.

Re:Greetings Monster.com user! (1, Funny)

Anonymous Coward | more than 5 years ago | (#26597927)

You must be Barister Mr. Ombugu Mgawatusi Sr. Esquire, I just got your email.

Re:Greetings Monster.com user! (1)

Kneo24 (688412) | more than 5 years ago | (#26598305)

Hey... Wait! I just got his mail too! Something fishy is going on here...

Re:Greetings Monster.com user! (1)

nextekcarl (1402899) | more than 5 years ago | (#26598873)

Maybe they just need to hire a lot of programmers? :)

Monster is pretty worthless anyway...but (3, Interesting)

Ritz_Just_Ritz (883997) | more than 5 years ago | (#26597887)

In these economic times people don't seem to care so much about "silly" things like privacy and security when they're scrapping for a job. In a better economy, I think people would be more inclined to make a big fuss. Sad.

Re:Monster is pretty worthless anyway...but (0)

Anonymous Coward | more than 5 years ago | (#26597977)

Sad but true. I graduated last summer and I've been unemployed since. I'd love to tell Monster where to shove it, but I'm desperate. Not even the supermarkets are hiring around here.

Hopefully (2, Funny)

Gates82 (706573) | more than 5 years ago | (#26597931)

Hopefully the data was stolen by a good employer.

--
So who is hotter? Ali or Ali's Sister?

Re:Hopefully (0)

Anonymous Coward | more than 5 years ago | (#26598267)

Who's Ali?

So what? (1)

rcharbon (123915) | more than 5 years ago | (#26597947)

Change your password. The rest of the info is already freely available from the resume you posted to Monster, right?

Re: the real question (0)

Anonymous Coward | more than 5 years ago | (#26597997)

The real question is: Why are they storing plaintext passwords? That's inexcusable.

Re:So what? (1)

chiguy (522222) | more than 5 years ago | (#26599367)

Change your password. The rest of the info is already freely available from the resume you posted to Monster, right?

The biggest problem is that most users who are not technically savvy use the same username and password for all their online activities, including job sites and banking.

If Monster had encrypted their passwords, this would be a significanly smaller problem.

Re:So what? (1)

corsec67 (627446) | more than 5 years ago | (#26599601)

If Monster had encrypted their passwords, this would be a significanly smaller problem.

I hope you meant "hashed". There is no reason whatsoever for a company to use anything but a one-way hash with a salt for storing passwords.

On the bright side (1)

WindowlessView (703773) | more than 5 years ago | (#26598001)

Maybe the hackers are hiring? (No polygraph or pee tests required.)

Re:On the bright side (1)

SirLurksAlot (1169039) | more than 5 years ago | (#26598095)

The hackers, no. They seem to be doing just fine without any help, thanks. The spammers and scammers, heck yeah! Business is booming baby!

Deleted my account. (0)

Anonymous Coward | more than 5 years ago | (#26598007)

Since this was their second data breach, and it doesn't look like they learned anything from last time I had them delete my account. It is not something that you can do as a user. You have to get one of the techs to do it. You can do it through an online chat. Also make sure they delete account and not just make everything private.

Re:Deleted my account. (1)

gorbachev (512743) | more than 5 years ago | (#26598081)

You really sure they actually deleted it?

I've had pretty poor results with requests to delete my account information in the past with various online entities. Buy.com, for example, never deletes anything...I am still getting spammed by them to four disabled accounts years after they were supposedly gone.

Re:Deleted my account. (1)

Vraylle (610820) | more than 5 years ago | (#26598193)

I deleted my account after the first incident, and followed up to make sure. They actually asked me why I wanted to delete it, and I spelled it out very plainly for them. Guess they didn't exactly take it to heart.

If they had to pay a dollar for every byte of data stolen, would that make these goofballs more cautious?

Re:Deleted my account. (1)

franl (50139) | more than 5 years ago | (#26599607)

I deleted my account too, but I was able to do via the Web interface, without involving customer services.

Re:Deleted my account. (5, Informative)

chill (34294) | more than 5 years ago | (#26598489)

Log in, delete your resumes and cover letters, change your password to some random crap. Then, go to the preferences home page and there is a "cancel my account" option. Leave them a nice note explaining how the deserve to go out of business and where or where could they find a security person with a clue about hashed password storage.

Re:Deleted my account. (1)

kshkval (591396) | more than 5 years ago | (#26599353)

Totally right on... it's what I just did. MF morons deserve it. I also wrote them a message about not 'fessing up in the first place.

On the plus side... (1, Funny)

Anonymous Coward | more than 5 years ago | (#26598019)

... I just got a job offer from the Russian Mob!

I only heard about this by chance the other day (0)

Anonymous Coward | more than 5 years ago | (#26598045)

And I could not go to that site and change my fucking password fast enough. Not only because of the personal info that is in my Monster account, but because it's one of the handful of 'high security' passwords I use at few different sites-- if the bozos who made off with this data tried that password at some of the right other sites they could have ended up with a few of the keys to my kingdom.*

I think it is complete and total BS that Monster is not taking active steps to alert users.

I've been in the same job for 8 years, but I always keep a fairly up to date resume available on Monster. Haven't gone there recently though, so I would never have known about this if not for the story breaking on some of the news sites I read.

* Please don't give me any bullshit about 'you should have a separate password for every site'-- let's see how many completely random 14 character alphanumeric passwords YOU can memorize!

Re:I only heard about this by chance the other day (1)

ESarge (140214) | more than 5 years ago | (#26599399)

How about storing it on your own machine in a strongly encrypted file? e.g. PasswordSafe [sourceforge.net] .

Bruce Schneier wrote the original at CounterPane.

No wonder (4, Interesting)

PutonBackBurner (1406907) | more than 5 years ago | (#26598055)

I went in to change my password to something over 25 characters, with letters (upper and lower), numbers and specials characters. It kept notifying me that the pass was not strong enough. I reviewed and followed the instructions, then extending it to over 50 characters. I received the same warning message even when clicking on the submit button - wtf?

After several attempts, I tried logging out and logging in with the new pass. Guess what, it did change!

Bad interface, bad notifications, bad programming , bad (or no) testing. No wonder they got had.

I mean really, if you can't design and code a simple change password feature....

Re:No wonder (5, Informative)

pimpimpim (811140) | more than 5 years ago | (#26598217)

What's also very nice: I just went there to change it. The change password feature does NOT ask you for your old password. So anyone who finds an open monster session e.g. in an internet cafe can change the password of that user and kidnap the account. This is the situation after their attack, not very promising what the future concerns. These are really basic security features that take at most a few hours to implement.

Re:No wonder (5, Informative)

pimpimpim (811140) | more than 5 years ago | (#26598249)

oh, and... it's not even using an SSL connection, just plain http. Crazy.

Re:No wonder (1)

PutonBackBurner (1406907) | more than 5 years ago | (#26598825)

I didn't even notice this! Good God!

They distracted me with the other issues...

unencrypted passwords ? (1, Interesting)

Anonymous Coward | more than 5 years ago | (#26598061)

This is rediculous now. In 2007 they had the same thing which included PASSWORDS and frame it as business contact info or the same thing included in your business card so don't worry...oh and chance your password because they have that too.

I would be fired if we had a breach of security and I let out the door unencrypted passwords. I mean really you have to assume at this point that data like that will be stolen and some point and have a plan to deal with it.

The unencrypted passwords part just kills me.

Anyone have their compliance offiers email Patrick Manzo ?

Re:unencrypted passwords ? (1)

RockMFR (1022315) | more than 5 years ago | (#26599267)

The passwords might have actually been encrypted. Nowhere in any of the articles provided does it say otherwise. It is likely that there was some sort of encryption being done. It's unfortunate that they did not provide more details.

Re:unencrypted passwords ? (0)

Anonymous Coward | more than 5 years ago | (#26599379)

Can you spell "ridiculous" correctly? Why not?

Cancel Your Accounts (5, Interesting)

db32 (862117) | more than 5 years ago | (#26598075)

If you have a Monster account cancel it and leave a note in the "why are you canceling?" box. Don't make it some rant, but make sure you explain that you will not tolerate their incompetence, their unwillingness to take security of their users personal information seriously, and their total lack of integrity by trying to hide the breech from their users. Then explain that you will try to get everyone you know to cancel their account for their own security. Finding jobs is all about networking...so is taking down misbehaving companies.

Re:Cancel Your Accounts (0)

Anonymous Coward | more than 5 years ago | (#26598257)

Did just that. :)

Re:Cancel Your Accounts (0)

Anonymous Coward | more than 5 years ago | (#26598361)

It's the Slashdot mass exodus from Monster! Maybe we all of us here at slashdot should create accounts, put in random names, and then cancel 24 hours later.

Re:Cancel Your Accounts (0)

Anonymous Coward | more than 5 years ago | (#26598309)

If you have a Monster account cancel it and leave a note in the "why are you canceling?" box. Don't make it some rant, but make sure you explain that you will not tolerate their incompetence, their unwillingness to take security of their users personal information seriously, and their total lack of integrity by trying to hide the breech from their users. Then explain that you will try to get everyone you know to cancel their account for their own security. Finding jobs is all about networking...so is taking down misbehaving companies.

done.

Re:Cancel Your Accounts (0)

Anonymous Coward | more than 5 years ago | (#26598381)

Done. Goddamn idiots.

Re:Cancel Your Accounts (1)

mcscooter (1166081) | more than 5 years ago | (#26598415)

Your data will still be in their databases though.

Re:Cancel Your Accounts (1)

LVSlushdat (854194) | more than 5 years ago | (#26598551)

I just did that very thing.. Apparently the earlier poster who said you couldn't do it from the webpage is no longer correct. They now have a "cancel membership" page...

Re:Cancel Your Accounts (2)

DiegoBravo (324012) | more than 5 years ago | (#26598561)

Your comment will be perfectly stored in that same database. At least the hackers will read about your discomfort, so remember to state your geek skills in that rant, so eventually they could offer you a more interesting work.

Re:Cancel Your Accounts (1)

chooks (71012) | more than 5 years ago | (#26598885)

This is what they say when you cancel it:

If you cancel your account, all of your saved information will be permanently deleted. This means you'll lose access to your profile and account information.

Of course, they may not actually delete the information, and it certainly exists in backups, but short of nuking it from orbit, there's not much else you can do as a (former) monster.com user (AFAIK, at least).

Re:Cancel Your Accounts (1)

KookyMan (850095) | more than 5 years ago | (#26598605)

I just canceled my account, after individually deleting each section, and replacing undeletable information with 'garbage' data.

One thing I did notice, I recently changed my password (On 17JAN09) and was not prompted to change my password upon login. It makes me wonder when this breach happened, and if anyone will be prompted to change their passwords, or if I had already changed my password after the breach, but prior to the official notification.

Re:Cancel Your Accounts (0)

Anonymous Coward | more than 5 years ago | (#26598835)

done.
boy am i glad i used an email address proxy [sneakemail.com] when i registered w/ monster.

Re:Cancel Your Accounts (1)

Shados (741919) | more than 5 years ago | (#26599183)

I'm probably fucking blind, but I can't seem to find the damn delete button. Can't be that hard to find considering all the people who replied to you saying they did it.

Re:Cancel Your Accounts (1)

Shados (741919) | more than 5 years ago | (#26599231)

Yeah, I really was blind. Found it now :)

No Resumes? (1)

Dunx (23729) | more than 5 years ago | (#26598093)

"No resumes were stolen."

Uh huh. So there's no possibility that the malefactors will log in with the stolen user IDs and passwords and collect resumes from people's accounts?

Re:No Resumes? (0)

Anonymous Coward | more than 5 years ago | (#26599369)

Holy shit! You mean someone is going to use the stolen accounts and log in as them?!? /Monster.com Security Manager

The Monster in the closet (0)

Anonymous Coward | more than 5 years ago | (#26598111)

As is the case with many companies that maintain large databases of information, Monster is the target of illegal attempts to access and extract information from its database. We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data.

Illegal access wouldn't have given the intruders anything if this company had not been negligent in securing the data. The fact that something is illegal is no protection, the problem is purely that they were able to access the data.

while no company can completely prevent unauthorized access to data

Yes they can!

Wouldn't it just be hilarious if... (2, Funny)

v1 (525388) | more than 5 years ago | (#26598187)

the person that stole the data emailed the users instead:

Monster.com let me steal your personal information, not once but twice, knew about it, and didn't feel like letting you know, so I thought I would instead.

Click this link [monster.com] to send an email to monster.com to let them know what you think about their security and their policy for handling of breaches.

- The Haxors

BONUS! If you click on the javascript form (can't link directly to it) on their main page up top right that says Help and Security [monster.com] , there's two interesting bullet points lower right:

- Protect yourself against online fraud
- Contact us

Those two really shouldn't be so close together on the same page?

Re:Wouldn't it just be hilarious if... (0, Flamebait)

v1 (525388) | more than 5 years ago | (#26598211)

I have a politically incorrect comment to make also. On Monster's home page [monster.com] there's a "learn more" video that has a static title picture of the guy that's responsible for your being unemployed in the first place.

So do it yourself (1)

Chris L. Mason (3425) | more than 5 years ago | (#26598219)

So grab their user database and send out the email notifications yourself!

Talk about.. (1)

Ka D'Argo (857749) | more than 5 years ago | (#26598317)

Talk about some "monstrous" bad web security.

Won't email but there is a cute little... (1)

jaynis (599486) | more than 5 years ago | (#26598333)

security notice on the front page. They probably think that email about data breach would feel like phishing, so they will require password resets at next log-in across the board for everyone affected. http://help.monster.com/besafe/jobseeker/index.asp [monster.com] .j.

Who cares? (0)

Anonymous Coward | more than 5 years ago | (#26598339)

I can find that very same information about anyone (except their passwords) here:
http://www.public-records-now.com/

I'm not terribly surprised (5, Informative)

kimvette (919543) | more than 5 years ago | (#26598473)

I'm not terribly surprised. They have a casual approach toward development and quality assurance. In the early days of Monster at TMP Worldwide the QA department consisted of just two people - Fidelity demanded they focus more on QA so they brought me in (Fidelity was and probably still is their single largest account. At the time probably 75% of the jobs were Fidelity postings).

The code running the site was atrocious - and the web server consisted of a single DEC Unix box. They had terrible cross-browser issues (I can't remember if it was Netscape, which was still dominant at the time, or MSIE which completely broke). The developers had no clue what was wrong, so I did some digging and the issue was a lot of table cells and even table rows were never being closed. I logged the defects and was given access to the code (which was Datapult PF at the time - thank god it was not easy-to-write/impossible-to-read perl). I worked with the developers (coders, really) to identify where each type of cell was being generated, and where it should be closed. The code was such that I had to print it on a line printer and trace with pens where each cell was being opened, and there were a lot of cases where the code was not nested properly. It was UGLY. Well, after a few days I had fixed the bugs and it was rendering properly in "all" of the two major browsers, and even AOL.

(as an aside, Datapult PF was kind of neat - very readable and a much better alternative than ASP. I had taken the defect tracking system and enhanced it and wanted to clean up the database schema but there just wasn't time)

Then, by the time they closed the Framingham facility and moved to Maynard, the Fidelity contract had been finalized so they axed most of QA (read: all but one person) and offered me a job as a developer - for $38K, which was just slightly over half of what I was making as a QA engineer. I told them thanks, but no thanks, that $38K is actually quite insulting.

I don't know if they have a proper QA process and department in place, but back when I was there (1997 or 1998) the only people who liked the fact that there even was QA at all was the developers. Management, sales, etc. all hated us, and the parent company (TMP Worldwide) looked at QA as a cost center. They Just Didn't Get It then, and I wouldn't be surprised if they still do not have QA now and Still Don't Get It.

I don't know what they're running for a back end now, but the response headers say IIS 6.0 so I'd presume ASP.net. For .Net and PHP there are plenty of harnesses to test for SQL injection bugs, which If THey Get It, they would be running against the site, but far more likely it's a human issue (someone selling the info, since TMP Worldwide grossly under-pays permanent Monster employees, or at least did at the time) or the Windows server has a root kit on it (if it is in fact IIS 6.0) -- or is the result of an untested bridge to other systems they integrate with. If their modus operandi is still that of TMP Worldwide and they view QA as unnecessary unless a client demands it before awarding a large contract (Fidelity is a company which Does Get It) then I would not be surprised if QA personnel and processes are both totally lacking.

It was a fun contract - don't get me wrong. I liked the people I worked with, and I liked working with the developers to fix the problem, but TMP as a whole just doesn't get it. Monster needs to be run internally like a software company, since it is a large internally-developed software project which is CONSTANTLY being enhanced with more and more features and integrated with other systems (ad servers, etc.). It's not a small project by any means and proper QA from requirements through deployment and maintenance is the only way to minimize liabilities such as this.

As an aside: does anyone out there remember the sleeping monster? The sleeping monster was in place whenever code was being moved from the staging server to the live server, or when the Oracle database would go down. The sleeping monster (I forgot his name) was up far too often back in those days. I haven't seen him posted in years -- not that I visit monster.com all that often. I do have an account on there so I can view features when a client refers to them (e.g., "I want $foo like Monster").

Having said that, I do hope they now get it and have proper QA in place.

Wow, it's been a long time!

Re:I'm not terribly surprised (1)

Stan Vassilev (939229) | more than 5 years ago | (#26599103)

Hi, interesting post. I noticed you said Datapult PF was much easier to read/understand than ASP (at the time).

I tried to find back examples of the syntax and features of Datapult PF, but I couldn't come up with anything. It's even not on the webarchive.

I'd really like to see examples of its syntax and features, to get a basic feel for it, if you have any. Thanks!

Re:I'm not terribly surprised (1)

kimvette (919543) | more than 5 years ago | (#26599203)

I have looked for it in recent years (I wanted to toy around with it) and can't find mirrors of the original site, just sites praising it and very old binaries. :(

I didn't say it was easier to read than ASP - it's easier to read than perl, but at the time was better than ASP. Very easily extended, very modular, etc. - much like PHP is now.

Re:I'm not terribly surprised (1)

JWSmythe (446288) | more than 5 years ago | (#26599249)

    I interviewed with them about a year ago in Maynard. It seemed like they had a decent shop set up. The folks that I interviewed with were knowledgeable.

    I got there just after a huge blizzard blew through. My first flight was canceled. My second flight late. I barely got any sleep at a friend's place before heading out there.

    If they'd hired me, and if I had access to catch something easy like "all your passwords are plain text" are one thing. Even if I kicked and screamed, I don't know if they would have changed anything. If I've learned anything in the corporate world, all it takes is one person senior to me to say "It's too difficult to change that." and it goes away.

    All I really got out of it was a lot of flying; seeing a friend who I'd only talked to via email and phones for years; and the lovely experience of showing up to my then night shift job, dressed very nicely for freezing weather. I got off the plane, into my car, and drove straight to work. I'm living in Florida right now, so I was very very much out of place.

    It seems they have a pretty large *nix infrastructure now. I don't know how much of it is used for what though. They were moderately open with me, but not so much as I'd walk out with any company secrets.

Well, (1)

EspressoFreak (237002) | more than 5 years ago | (#26598545)

at least I'd know who to blame this time when my e-mail is bombarded by penis enlargement advertisements.

Sync'd With the Latest Release (1)

Frankenshteen (1355339) | more than 5 years ago | (#26598623)

Didn't they just do a banner blitz announcing how new and improved they were? Most things never change.

Massachusetts Breach Law (4, Informative)

PDG (100516) | more than 5 years ago | (#26598633)

Not only is this violation bad in principle, its a violation in Massachusetts and several other states: http://privacylaw.proskauer.com/2007/08/articles/security-breach-notification-l/massachusetts-is-39th-state-to-mandate-breach-notification/ [proskauer.com]
The really kicker is the law requires the firm with a data breach to inform several state agencies AS WELL AS the person who's data has been compromised:

"The law requires that a person or agency that owns or licenses personal information about a resident of the commonwealth notify the attorney general, the director of consumer affairs and business regulation, and the affected resident if it "knows or has reason to know of a breach of security"

Re:Massachusetts Breach Law (3, Interesting)

chiguy (522222) | more than 5 years ago | (#26599239)

Does anyone go to jail for breaking this law?

That's the only way to really get people to follow it. Look at Sarbanes-Oxley, whether you think it's efficient use of documentation, the risk of jail for top executives got them serious about covering their asses.

Corporations are perfectly willing to pay fines, since fines don't generally affect executive compensation.

So What? Was your data there real after all? (0)

Anonymous Coward | more than 5 years ago | (#26598645)

What is all this ingenuity people, does anybody expect any electronic protection mechanism to be forever 100% safe?

Monster is a very big center of interest, it necessarily attracts criminals as well as decent professionals and employers sometimes.

Exposition means vulnerability, that's universally real, nothing to do about it.

The amount of personal information about myself on Monster is limited to name and email. Never is my current employer mentioned there, never is my mobile or phone number, nor my real post address or code as such, potential employers may ask me directly. All the info on the CV (including study and old employers) is real and public, and so is supposed to be.

Nevertheless, when used with salt Monster remains an unvaluable contact point. And certain sticky headhunters calling middle of the night from overseas didn't manage to put their hands on my mobile yet.

Password safes (4, Informative)

thepacketmaster (574632) | more than 5 years ago | (#26598669)

This is why I only use randomly generated passwords for these type of sites, and store them in my password safe. They may have gotten my monster password, but they won't be getting into anything else.

Re:Password safes (1)

cathector (972646) | more than 5 years ago | (#26598875)

this is a great idea but also sounds like a PITA,
having to look up a random pw to log into a site.
you could 'generate' a hashed password for each site, and just remember the salt.
that way if your safe got lost or you didn't have access to it you could still derive your password for each site.

eg, password = MD5(siteName + myAwesomeSecretSalt) + charsToMakeItPassPasswordRequirements.

Re:Password safes (1)

horza (87255) | more than 5 years ago | (#26599301)

It's not really a PITA if you usually use one machine, in which case Firefox will remember the password for you after it's entered the first time. You only have to do it each time you change machine or reformat, and the balance of effort vs security seems well worth it. I bet the first thing the person that filched the monster.com username/passwords did was to use the same username (and variations on the real name) plus password to log into Amazon, Ebay, online gambling sites, and anywhere they can spend money. You'd be amazed at the number of people that use the same username and password across sites. Very profitable.

Your idea is less secure (security through obscurity) and I can't see it's any easier than using the nice wide range of point and click password safe apps out there. The password file is strongly encrypted so you can upload it somewhere as a backup. Not to say it's a bad idea though if it works for you, it is more than enough to put off any casual hacker.

Phillip.

Viral marketing? (1)

ktappe (747125) | more than 5 years ago | (#26598691)

I hadn't visited Monster in years, but this story made me go over there and log in and update my profile (after I e-mailed them asking if my account was one of those compromised.) If this was viral marketing to get them more visits, it worked in my case.

baffled (1)

danlip (737336) | more than 5 years ago | (#26599059)

I am a programmer but by no means a security expert. However, when I store passwords I use an irreversible hash with salt. It's not hard to implement (1 days work). How can any site as big as monster not be doing this? I also used PreparedStatements (in Java) for executing SQL; again it's not hard and prevents injection attacks. I am baffled every time I hear of a site compromised by that type of attack. How can people not be using something like PreparedStatements? (I am especially pissed when a site makes me use one of my good passwords (by requiring numbers and symbols and certain length) them email the password back to me in plain text, or does crappy security like Monster)

resumes WERE stolen. (0)

Anonymous Coward | more than 5 years ago | (#26599237)

ive been getting spam on my special monster email address which is ONLY USED ON MY RESUME POSTED TO MONSTER. My monster account email address WAS NOT SPAMMED (its different).
So they're completely clueless as to the extent of the data breach. Resumes were stolen. and sold to spammers.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>