Monster.com Data Stolen, Won't Email Users 200
chiguy writes "There's been another break-in at Monster.com. It's surprising that there are still unencrypted passwords stored in database despite the previous hack, as is the decision to not email users — presumably so that no one will make a fuss. From PC World: 'Monster.com user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users' states of residence. The information does not include Social Security numbers, which Monster.com said it doesn't collect, or resumes. Monster.com posted the warning about the breach on Friday morning and does not plan to send e-mails to users about the issue, said Nikki Richardson, a Monster.com spokeswoman. The SANS Internet Storm Center also posted a note about the break-in on Friday.'"
Re:um (Score:3, Informative)
Why the hell is a job search site collecting birth date, gender, and ethnicity information?
Most online applications have the optional equal opportunity information fields. Monster offers a way to auto submit this information. I'm not sure about the DOB, but this additional information is optional on Monster.
--
So who is hotter? Ali or Ali's Sister?
Re:No wonder (Score:5, Informative)
Re:No wonder (Score:5, Informative)
Re:Accountability (Score:5, Informative)
In Sweden it's defined as any combination of data that can individually identify a person.
I'm not terribly surprised (Score:5, Informative)
I'm not terribly surprised. They have a casual approach toward development and quality assurance. In the early days of Monster at TMP Worldwide the QA department consisted of just two people - Fidelity demanded they focus more on QA so they brought me in (Fidelity was and probably still is their single largest account. At the time probably 75% of the jobs were Fidelity postings).
The code running the site was atrocious - and the web server consisted of a single DEC Unix box. They had terrible cross-browser issues (I can't remember if it was Netscape, which was still dominant at the time, or MSIE which completely broke). The developers had no clue what was wrong, so I did some digging and the issue was a lot of table cells and even table rows were never being closed. I logged the defects and was given access to the code (which was Datapult PF at the time - thank god it was not easy-to-write/impossible-to-read perl). I worked with the developers (coders, really) to identify where each type of cell was being generated, and where it should be closed. The code was such that I had to print it on a line printer and trace with pens where each cell was being opened, and there were a lot of cases where the code was not nested properly. It was UGLY. Well, after a few days I had fixed the bugs and it was rendering properly in "all" of the two major browsers, and even AOL.
(as an aside, Datapult PF was kind of neat - very readable and a much better alternative than ASP. I had taken the defect tracking system and enhanced it and wanted to clean up the database schema but there just wasn't time)
Then, by the time they closed the Framingham facility and moved to Maynard, the Fidelity contract had been finalized so they axed most of QA (read: all but one person) and offered me a job as a developer - for $38K, which was just slightly over half of what I was making as a QA engineer. I told them thanks, but no thanks, that $38K is actually quite insulting.
I don't know if they have a proper QA process and department in place, but back when I was there (1997 or 1998) the only people who liked the fact that there even was QA at all was the developers. Management, sales, etc. all hated us, and the parent company (TMP Worldwide) looked at QA as a cost center. They Just Didn't Get It then, and I wouldn't be surprised if they still do not have QA now and Still Don't Get It.
I don't know what they're running for a back end now, but the response headers say IIS 6.0 so I'd presume ASP.net. For .Net and PHP there are plenty of harnesses to test for SQL injection bugs, which If THey Get It, they would be running against the site, but far more likely it's a human issue (someone selling the info, since TMP Worldwide grossly under-pays permanent Monster employees, or at least did at the time) or the Windows server has a root kit on it (if it is in fact IIS 6.0) -- or is the result of an untested bridge to other systems they integrate with. If their modus operandi is still that of TMP Worldwide and they view QA as unnecessary unless a client demands it before awarding a large contract (Fidelity is a company which Does Get It) then I would not be surprised if QA personnel and processes are both totally lacking.
It was a fun contract - don't get me wrong. I liked the people I worked with, and I liked working with the developers to fix the problem, but TMP as a whole just doesn't get it. Monster needs to be run internally like a software company, since it is a large internally-developed software project which is CONSTANTLY being enhanced with more and more features and integrated with other systems (ad servers, etc.). It's not a small project by any means and proper QA from requirements through deployment and maintenance is the only way to minimize liabilities such as this.
As an aside: does anyone out there remember the sleeping monster? The sleeping monster was in place whenever code was being moved from the staging server to the live server, or when the Oracle database would go down. The sleep
Re:Deleted my account. (Score:5, Informative)
Log in, delete your resumes and cover letters, change your password to some random crap. Then, go to the preferences home page and there is a "cancel my account" option. Leave them a nice note explaining how the deserve to go out of business and where or where could they find a security person with a clue about hashed password storage.
Re:um (Score:4, Informative)
Actually, they make most of their money through large contracts from companies that post lots of jobs. Fidelity was their first large one, or so I heard before I was asked to come aboard, and was the reason they had ANY QA at all (see below) in the beginning.
TMP worldwide is the parent company of Fidelity and is (or was) one of the largest temp firms in the world. They created Monster so they could find recruits for their own clients - that was fairly well known at the time.
Now I suspect they make the vast majority of their revenue through advertising revenue. Ever go on the site and see all the advertising features? "In your face" hardly begins to describe it.
Massachusetts Breach Law (Score:5, Informative)
The really kicker is the law requires the firm with a data breach to inform several state agencies AS WELL AS the person who's data has been compromised:
"The law requires that a person or agency that owns or licenses personal information about a resident of the commonwealth notify the attorney general, the director of consumer affairs and business regulation, and the affected resident if it "knows or has reason to know of a breach of security"
Password safes (Score:5, Informative)
Re:Accountability (Score:3, Informative)
yes, but afaik they're opt-in usually as a part of your telephone subscription.
Re:um (Score:3, Informative)
Employers would like to know roughly how old their potential new employees will be,
Except under US law, it's illegal to ask an applicant's age. Now I know age can be figured from other sources - dates of school and college graduation, etc. - but I also know the anti-discrimination laws are totally being flaunted by online job sites. Many larger organizations have their own online applications and they claim to be administered by a third party, who will ask the birthdate for the purpose of conducting a background check.
They are breaking the law plain and simple.
Re:um (Score:3, Informative)
Re:um (Score:2, Informative)
WTF are you on about?!?!? TMP has NEVER been the parent company of fidelity and has never had a damn thing to do with anything fidelity does EXCEPT have monster run their careers site.
TMP is the parent company of monster, renaming themselves monster worldwide or something some years back when the dotcom shtf. TMP was the temporary labor division and monster was the online division.
Your facts are fuct for someone claiming to 'be aboard' either fidelity or monster, so much for knowing the background of the company you work for.
Re:Accountability (Score:2, Informative)
I agree, this seems to be a growing problem. These companies seem to have little incentive to protect us, so perhaps they need a disincentive to let our data get stolen. I think it should be indexed to the number of accounts compromised and also increase with every violation. It is just criminal that these companies have next to zero accountability to protect their customers.
They'll just find a better way to get around disclosing information. Some legal, yet convoluted loophole. "No officer, that information wasn't personal." or like Heartland Payment Systems did, disclose it at an inappropriate time, and state that essentially, special information (addresses) wasn't lost, so they're not responsible if someone ingeniously cross-references a phone directory to the stolen data.
Re:No Resumes? (Score:3, Informative)
You must have missed the last 800 times this has happened to companies. They steal the email/name/username and the password, then try them on other sites with something more valuable to them (read: paypal, banks, online stores that also keep credit card info).
BTW, in case it's not obvious from what I just wrote. Make sure you use a different password on every website. Even if it's only a small variation on a simple password, it might not stop a friend from guessing it, but it will stop a hacker with a database of 2 million name/password pairs from bothering to try changing 'password001' to 'password002'