Monster.com hit by new breach

 

The company announced that its database was illegally accessed, and information including monster user IDs and passwords, email addresses, names, phone numbers, and basic demographic data was stolen.

"The information access does not include resumes," said the firm in a statement. "Monster does not generally collect - and the accessed information does not include - sensitive data such as social security numbers or personal financial data."

Monster.com chose not to email its users with news of the information, arguing that it did not want to give phishers an opportunity to capitalise on an email campaign to impersonate the company.

The breach affected Monster.com sites in north America and western Europe.

This is not the first time that monster.com has suffered from a data breach. In August 2007, the company admitted that data on the least 1.3 million users had been compromised. The breach, found by Symantec, involved the use of the PRG trojan, which gave attackers access to some recruiters' accounts, which were then used to pilfer user data, said Don Jackson, senior security researcher at Atlanta-based SecureWorks. Then, in November the same year, the company was hit by an IFRAME attack, which served up malicious code to job seekers visiting its Monster Company Boulevard web property.

When asked what it had learned from its previous breaches, a Monster.com spokesperson told Infosecurity: "We cannot comment on specific security measures, but Monster has made a significant investment in enhancing data security and we believe that our security measures are as, or more, robust than other sites in our industry." The spokesperson refused to discuss how database encryption could have prevented the latest breach, and would not divulge any security methodologies, or certifications such as ISO 27000, that the firm may or may not have attained.

What’s Hot on Infosecurity Magazine?