Monster.com Data Stolen, Won't Email Users

chiguy writes "There's been another break-in at Monster.com. It's surprising that there are still unencrypted passwords stored in database despite the previous hack, as is the decision to not email users — presumably so that no one will make a fuss. From PC World: 'Monster.com user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users' states of residence. The information does not include Social Security numbers, which Monster.com said it doesn't collect, or resumes. Monster.com posted the warning about the breach on Friday morning and does not plan to send e-mails to users about the issue, said Nikki Richardson, a Monster.com spokeswoman. The SANS Internet Storm Center also posted a note about the break-in on Friday.'"

Monster is pretty worthless anyway...but

[Ritz_Just_Ritz]

In these economic times people don't seem to care so much about "silly" things like privacy and security when they're scrapping for a job. In a better economy, I think people would be more inclined to make a big fuss. Sad.

No wonder

[PutonBackBurner]

I went in to change my password to something over 25 characters, with letters (upper and lower), numbers and specials characters. It kept notifying me that the pass was not strong enough. I reviewed and followed the instructions, then extending it to over 50 characters. I received the same warning message even when clicking on the submit button - wtf?

After several attempts, I tried logging out and logging in with the new pass. Guess what, it did change!

Bad interface, bad notifications, bad programming , bad (or no) testing. No wonder they got had.

I mean really, if you can't design and code a simple change password feature....

unencrypted passwords ?

[Anonymous Coward]

This is rediculous now. In 2007 they had the same thing which included PASSWORDS and frame it as business contact info or the same thing included in your business card so don't worry...oh and chance your password because they have that too.

I would be fired if we had a breach of security and I let out the door unencrypted passwords. I mean really you have to assume at this point that data like that will be stolen and some point and have a plan to deal with it.

The unencrypted passwords part just kills me.

Anyone have their compliance offiers email Patrick Manzo ?

Cancel Your Accounts

[db32]

If you have a Monster account cancel it and leave a note in the "why are you canceling?" box. Don't make it some rant, but make sure you explain that you will not tolerate their incompetence, their unwillingness to take security of their users personal information seriously, and their total lack of integrity by trying to hide the breech from their users. Then explain that you will try to get everyone you know to cancel their account for their own security. Finding jobs is all about networking...so is taking down misbehaving companies.

Re:Accountability

[thethibs]

Actually, it was IBM and CS academics that did that. OS360 was released with a long error list and assurance that this was normal for a product of that size. It was this era that produced factors like one error per so many LOC, where "so many" ranged from ten to a thousand depending on the source.

This was long before Microsoft existed and it didn't need much pushing. It was so self-serving that the software industry never argued against it. It also came just in time to meet a huge increase in demand for programmers that could only be met by lowering the bar for entry--so for most of the new crop of programmers, the predictions were accurate.

The sad idea of calling programmers "software engineers" in the hope that a new name would make them more diligent has clearly not worked. Since most are paid by the hour without reference to quality or results, it's unlikely that anything will ever work in this environment.

What's needed is a change in the business model that links payment to a finished, correct product. ISVs working on fixed-price contracts and firmware developers have very low error rates.

Re:Accountability

[LordNimon]

If you punish companies for data loss, that is akin to fining people for getting their house burgled.

Your analogy is completely flawed. If someone gave me an item to hold onto for him, and it was stolen when my house was burgled, then yes, I would be (partially) responsible. This would be especially true if I didn't take reasonable steps to protect my home.

If monster.com only had their information stolen, then we'd all just laugh at them and move on. But instead, through incompetence and laziness, they allowed our information to be stolen.

Re:Massachusetts Breach Law

[chiguy]

Does anyone go to jail for breaking this law?

That's the only way to really get people to follow it. Look at Sarbanes-Oxley, whether you think it's efficient use of documentation, the risk of jail for top executives got them serious about covering their asses.

Corporations are perfectly willing to pay fines, since fines don't generally affect executive compensation.

Re:Accountability

[Belial6]

The problem is that only software is expected to be perfect. No other product the average person or business buys is expected to live up to even close to the quality that software is. Go walk through any brand new house. Look close. I know that I could find literally tens of thousands of "bugs". In fact, flaws in houses are so common that parts are now standard who's primary purpose is to hide the flaws, or make it look like the flaws are 'supposed to be there'. The same can be said of cars, books, furnature, food, etc. Mind you, the less complex an item is, the fewer flaws you will find, but it still comes down to the fact that people just accept flaws in virtually every product they buy. So, no, IBM did not invent the idea that errors are to be expected. That concept has existed long before IBM ever came around.

Re:Accountability

[WiiVault]

I agree, this seems to be a growing problem. These companies seem to have little incentive to protect us, so perhaps they need a disincentive to let our data get stolen. I think it should be indexed to the number of accounts compromised and also increase with every violation. It is just criminal that these companies have next to zero accountability to protect their customers.

Re:um

[narcberry]

I put african american for my race on a resume. I received a phone call, and did a quick interview. At the end of the interview, they were excited for me to come in and meet with them. When they discovered I was white, they said they already had plenty qualified white applicants.

Equal opportunity = legal racism. I wonder if I can have my race legally changed, heck if you can do it with gender...

Re:um

[Ihmhi]

Then why don't they file it after the fact that they've hired the qualified persons? They don't need to know that data beforehand.