If a website collects, stores and processes detailed personal information on millions of people, you’d expect it to take security seriously.
Indeed, Monster.com has “a full-time worldwide security team, which constantly monitors for both suspicious behaviour on our site and illicit use of information in our database”.
Unfortunately, this team (and monster will not disclose any details or even the number of people in the team), don’t appear to be very effective.
In 2007, hackers obtained 1.6million Monster.com users details. This was public and embarrassing, so you’d expect them to tighten their security and processes further.
Then in 2008, a further 1.6million records were stolen. OK, so maybe it’s time to have another look at the way security is implemented at Monster.com. Indeed, Monster themselves wrote:
“Monster has made, and will continue to make, a significant investment in enhancing data security, and we believe that Monster’s security measures are as, or more, robust than other sites in our industry”.
So, good. Problem fixed right?
Er, no. On 23rd January 2009 hackers again managed to steal yet more user data. This time though, they’re not saying whose data has been breached. No emails to users of Monster to make them aware that their employment history, address, date of birth, and education history are in the hands of ‘black hats‘. Apparently monster are worried that an email to notify their clients will result in further phishing scams by the black hats using their email as a template. Seriously, that’s what they said (more or less):
“Monster elected not to send e-mail notifications to avoid the risk those e-mails would be used as a template for phishing e-mails targeting our job seekers and customers. We believe placing a security notice on our site is the safest and most effective way to reach the broadest audience. As an additional precaution, we will be making mandatory password changes on our site. ” monster.com
So unlike ebay, Amazon, Itunes, and every other retailer or indeed bank, Monster.com does not feel it can communicate a simple warning about the issue and the dangers of possible phishing scams. Maybe a short “Sorry, we were hacked again – you’d better change all your passwords for other sites that are similar to the credentials we let slip” email is all they need to send, but send something they should. I’d be interested to hear if they send out marketing emails still, or perhaps they’ve ‘gone dark’. Faxes only from now on?
Luckily I don’t use monster.com, but if they’d lost my details, I’d prefer it if they let me know.
All of that sounds like a PR nightmare for monster.com, but how about this to ice the cake: Users of monster that read about this issue, will likely attempt to change their password for that site a.s.a.p. Many of those returning users will have forgotten the original password they used, and so will go through the ‘Forgotten Password’ route to reset it. Remember that “full-time, worldwide security team”? They don’t appear to have noticed that this password reset process sends the password in clear text (well spotted Richard).