Monster.com Data Stolen, Won't Email Users 200
chiguy writes "There's been another break-in at Monster.com. It's surprising that there are still unencrypted passwords stored in database despite the previous hack, as is the decision to not email users — presumably so that no one will make a fuss. From PC World: 'Monster.com user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users' states of residence. The information does not include Social Security numbers, which Monster.com said it doesn't collect, or resumes. Monster.com posted the warning about the breach on Friday morning and does not plan to send e-mails to users about the issue, said Nikki Richardson, a Monster.com spokeswoman. The SANS Internet Storm Center also posted a note about the break-in on Friday.'"
And the users complained... (Score:3, Funny)
Re: (Score:2, Funny)
Re: (Score:3, Funny)
CNN reports that it caught on in a flash.
Accountability (Score:5, Insightful)
When will companies face accountability for the damages they cause due to lax data security?
Re: (Score:3, Insightful)
As a client, they certainly have the right to ask us to do all kinds of encryption (as long as they pay for it). But it is absurd what people consider to "private data" now.
All this will do is make other data like SSNs - treat some publicly known data as an
Re:Accountability (Score:5, Informative)
In Sweden it's defined as any combination of data that can individually identify a person.
Re: (Score:2)
Re: (Score:3, Informative)
yes, but afaik they're opt-in usually as a part of your telephone subscription.
Re: (Score:2)
Re: (Score:2)
You probably opted in as part of your contract the same way you probably opted in to them getting your first born.
Re:Accountability (Score:4, Funny)
Re: (Score:2)
When programmers are expected to get it right the first time, just like engineers.
I kind of hate to the harbinger of bad news, but ever since Microsoft managed to convince people that software defects were a *normal* part of computer operation, the chances of holding companies accountable for bugs, security breaches, etc... have gotten vanishingly small.
Re:Accountability (Score:5, Interesting)
Actually, it was IBM and CS academics that did that. OS360 was released with a long error list and assurance that this was normal for a product of that size. It was this era that produced factors like one error per so many LOC, where "so many" ranged from ten to a thousand depending on the source.
This was long before Microsoft existed and it didn't need much pushing. It was so self-serving that the software industry never argued against it. It also came just in time to meet a huge increase in demand for programmers that could only be met by lowering the bar for entry--so for most of the new crop of programmers, the predictions were accurate.
The sad idea of calling programmers "software engineers" in the hope that a new name would make them more diligent has clearly not worked. Since most are paid by the hour without reference to quality or results, it's unlikely that anything will ever work in this environment.
What's needed is a change in the business model that links payment to a finished, correct product. ISVs working on fixed-price contracts and firmware developers have very low error rates.
Define 'correct' (Score:2)
While I tend to agree, it's also more likely to happen when people commissioning the software accurately define what "correct" means (in your "correct product" definition above).
Re: (Score:2)
Granted. That's what IT architects are for. Unfortunately, very few projects have them, so programmers are expected to fill the role; one for which they are poorly qualified.
The other problem is that most software projects are staffed, costed and scheduled before the product is designed--before anyone knows what needs to be built. Other than in the Aquarian atmosphere of an Agile project, failure is inevitable.
Re: (Score:2)
Granted. That's what IT architects are for. Unfortunately, very few projects have them, so programmers are expected to fill the role; one for which they are poorly qualified.
Fairly often, the architects you get aren't qualified to fill the role either.
Re:Accountability (Score:4, Interesting)
Re: (Score:3, Insightful)
The issue is while the other products have defined and well used laws for product liablitiy, software does not. In fact the industry rejects and attempt to institute any sort of liablity procedures for them. As such, there would be a legal recourse for the owner of a house if the flaws in construction caused them to lose money or have loss of life, if software caused the issue there would be no legal recourse. Flaws in houses and cars tend to be minor things (paint chips, trim, etc), since the threat o
Re: (Score:3, Insightful)
I disagree. For things that can cause loss of life, be a safety hazard (usually embedded stuff), or cause significant financial loss, software is held to the same standards as "regular" stuff. I'd say software even does a better job in that case, because, for example, most of the times when planes crash due to a defect, it ends up being a hardware defect.
Fact of the matter is, for typical desktop software it's just not worth the trouble of removing every single bug. If you think Vista and OS X are exp
Re:Accountability (Score:4, Insightful)
Several points of your statement have been debated numerous times here on /.
1) Software is expected to be perfect because the revision *only* requires a rewrite. No materials or tooling need to be changed to create a better program. (end sarcasm)
2) Pointing to different consumer products as examples of acceptably flawed products isn't really accurate. Medical and Aviation are just 2 areas where flaws aren't acceptable. BUT... the rate of innovation is so low that it resembles a flat line because they have to test and bug-stomp all the way, at tremendous cost.
3) Each area of industry has evolved its' own set of best practices, rules of thumb, acceptable quality control levels, etc... because they have a limited set of requirements to deal with. They have certain materials, tooling, methods, laws, profit margins, and expectations of customers to deal with. Software is limited in scope only by the human imagination, and thus presents an unlimited set of requirements and resources. The problem has few set limits, and thus is much harder.
4) The design of a product is usually the cheapest part of the creation. They will redesign many times to save a little money on the tooling, materials, labor, packaging, etc... whereas design is the complete manufacturing stage for software. There aren't many opportunities to save money during the manufacture of the product.
Re: (Score:2)
What's needed is a change in the business model that links payment to a finished, correct product.
I'd suggest linking payment to a finished product, "correct" or not. Then fines for bugs found depending on severity.
Re: (Score:2)
Re: (Score:3, Insightful)
Add to that hundreds of different pieces of the core code being designed by different teams with little to no overlap in communications, testing, etc., and you get a nightmare - it's impo
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:2)
> It is just criminal that these companies have next to zero accountability to protect
> their customers.
As you are a paying customer they have whatever accountability their contract with you provides for. If it isn't adequate why did you agree to those terms?
Re: (Score:2)
Re: (Score:2)
When incompetence becomes a crime.
Re: (Score:3, Funny)
When incompetence becomes a crime.
and that won't happen because no politician will incriminate themselves.
If only there was somewhere... (Score:5, Funny)
Greetings Monster.com user! (Score:5, Funny)
All I ask is that you purchase $5000 in laptops to send back to the parent company here.You can even keep one as your work computer.
As soon as we get the laptops we will send you another check for $100,000 to hire two employees. We only ask the extra $10,000 be sent back to the parent company.
Re: (Score:2)
Monster is pretty worthless anyway...but (Score:4, Interesting)
In these economic times people don't seem to care so much about "silly" things like privacy and security when they're scrapping for a job. In a better economy, I think people would be more inclined to make a big fuss. Sad.
Re: (Score:2)
In these economic times people don't seem to care so much about "silly" things like privacy and security when they're scrapping for a job.
Do I smell sarcasm? Are you saying people who become less concerned with privacy when facing unemployment are the ones that are silly? If so, I take it then that you have stable employment and have no ability to empathize. If you were facing losing your house, keeping your home address private would be of very little concern. If you were risking bankruptcy, I'm sure you'd be less worried about spam. In either case, you'd be less concerned with more important privacy-related issues as well.
It is sad, bu
Re: (Score:2)
Sad but true. I graduated last summer and I've been unemployed since. I'd love to tell Monster where to shove it, but I'm desperate. Not even the supermarkets are hiring around here.
That's why you shouldn't become a liberal arts major. In this tough times, they aren't even hiring fry questioners at McDonalds...
Hopefully (Score:3, Funny)
--
So who is hotter? Ali or Ali's Sister?
On the bright side (Score:2)
Maybe the hackers are hiring? (No polygraph or pee tests required.)
Re: (Score:2)
The hackers, no. They seem to be doing just fine without any help, thanks. The spammers and scammers, heck yeah! Business is booming baby!
No wonder (Score:4, Interesting)
After several attempts, I tried logging out and logging in with the new pass. Guess what, it did change!
Bad interface, bad notifications, bad programming , bad (or no) testing. No wonder they got had.
I mean really, if you can't design and code a simple change password feature....
Re:No wonder (Score:5, Informative)
Re:No wonder (Score:5, Informative)
Cancel Your Accounts (Score:5, Interesting)
Re: (Score:2)
I just did that very thing.. Apparently the earlier poster who said you couldn't do it from the webpage is no longer correct. They now have a "cancel membership" page...
Re: (Score:3)
Your comment will be perfectly stored in that same database. At least the hackers will read about your discomfort, so remember to state your geek skills in that rant, so eventually they could offer you a more interesting work.
Re: (Score:2)
I'm probably fucking blind, but I can't seem to find the damn delete button. Can't be that hard to find considering all the people who replied to you saying they did it.
Re: (Score:2)
Yeah, I really was blind. Found it now :)
Re: (Score:2)
Yep, I just cancelled it. They screwed up once but the second time?
Hence the expression-
"Fool me once, shame on you..fool me twice shame on me!"
Re: (Score:2)
Your data will still be in their databases though.
Hopefully it will be either be purged within 90 days or data moved elsewhere that isn't accessible by outside connections.
I rather they just delete my data entirely so no risk of them leaking my information with another screw up.
No Resumes? (Score:2)
"No resumes were stolen."
Uh huh. So there's no possibility that the malefactors will log in with the stolen user IDs and passwords and collect resumes from people's accounts?
Re: (Score:2)
Just hope you haven't pissed off the "church" of $cientology.
Re: (Score:2)
Re: (Score:3, Informative)
You must have missed the last 800 times this has happened to companies. They steal the email/name/username and the password, then try them on other sites with something more valuable to them (read: paypal, banks, online stores that also keep credit card info).
BTW, in case it's not obvious from what I just wrote. Make sure you use a different password on every website. Even if it's only a small variation on a simple password, it might no
Wouldn't it just be hilarious if... (Score:3, Funny)
the person that stole the data emailed the users instead:
Monster.com let me steal your personal information, not once but twice, knew about it, and didn't feel like letting you know, so I thought I would instead.
Click this link [monster.com] to send an email to monster.com to let them know what you think about their security and their policy for handling of breaches.
- The Haxors
BONUS! If you click on the javascript form (can't link directly to it) on their main page up top right that says Help and Security [monster.com], there's two interesting bullet points lower right:
- Protect yourself against online fraud
- Contact us
Those two really shouldn't be so close together on the same page?
Talk about.. (Score:2)
I'm not terribly surprised (Score:5, Informative)
I'm not terribly surprised. They have a casual approach toward development and quality assurance. In the early days of Monster at TMP Worldwide the QA department consisted of just two people - Fidelity demanded they focus more on QA so they brought me in (Fidelity was and probably still is their single largest account. At the time probably 75% of the jobs were Fidelity postings).
The code running the site was atrocious - and the web server consisted of a single DEC Unix box. They had terrible cross-browser issues (I can't remember if it was Netscape, which was still dominant at the time, or MSIE which completely broke). The developers had no clue what was wrong, so I did some digging and the issue was a lot of table cells and even table rows were never being closed. I logged the defects and was given access to the code (which was Datapult PF at the time - thank god it was not easy-to-write/impossible-to-read perl). I worked with the developers (coders, really) to identify where each type of cell was being generated, and where it should be closed. The code was such that I had to print it on a line printer and trace with pens where each cell was being opened, and there were a lot of cases where the code was not nested properly. It was UGLY. Well, after a few days I had fixed the bugs and it was rendering properly in "all" of the two major browsers, and even AOL.
(as an aside, Datapult PF was kind of neat - very readable and a much better alternative than ASP. I had taken the defect tracking system and enhanced it and wanted to clean up the database schema but there just wasn't time)
Then, by the time they closed the Framingham facility and moved to Maynard, the Fidelity contract had been finalized so they axed most of QA (read: all but one person) and offered me a job as a developer - for $38K, which was just slightly over half of what I was making as a QA engineer. I told them thanks, but no thanks, that $38K is actually quite insulting.
I don't know if they have a proper QA process and department in place, but back when I was there (1997 or 1998) the only people who liked the fact that there even was QA at all was the developers. Management, sales, etc. all hated us, and the parent company (TMP Worldwide) looked at QA as a cost center. They Just Didn't Get It then, and I wouldn't be surprised if they still do not have QA now and Still Don't Get It.
I don't know what they're running for a back end now, but the response headers say IIS 6.0 so I'd presume ASP.net. For .Net and PHP there are plenty of harnesses to test for SQL injection bugs, which If THey Get It, they would be running against the site, but far more likely it's a human issue (someone selling the info, since TMP Worldwide grossly under-pays permanent Monster employees, or at least did at the time) or the Windows server has a root kit on it (if it is in fact IIS 6.0) -- or is the result of an untested bridge to other systems they integrate with. If their modus operandi is still that of TMP Worldwide and they view QA as unnecessary unless a client demands it before awarding a large contract (Fidelity is a company which Does Get It) then I would not be surprised if QA personnel and processes are both totally lacking.
It was a fun contract - don't get me wrong. I liked the people I worked with, and I liked working with the developers to fix the problem, but TMP as a whole just doesn't get it. Monster needs to be run internally like a software company, since it is a large internally-developed software project which is CONSTANTLY being enhanced with more and more features and integrated with other systems (ad servers, etc.). It's not a small project by any means and proper QA from requirements through deployment and maintenance is the only way to minimize liabilities such as this.
As an aside: does anyone out there remember the sleeping monster? The sleeping monster was in place whenever code was being moved from the staging server to the live server, or when the Oracle database would go down. The sleep
Re: (Score:2)
I tried to find back examples of the syntax and features of Datapult PF, but I couldn't come up with anything. It's even not on the webarchive.
I'd really like to see examples of its syntax and features, to get a basic feel for it, if you have any. Thanks!
Re: (Score:2)
I have looked for it in recent years (I wanted to toy around with it) and can't find mirrors of the original site, just sites praising it and very old binaries. :(
I didn't say it was easier to read than ASP - it's easier to read than perl, but at the time was better than ASP. Very easily extended, very modular, etc. - much like PHP is now.
Re: (Score:2)
I interviewed with them about a year ago in Maynard. It seemed like they had a decent shop set up. The folks that I interviewed with were knowledgeable.
I got there just after a huge blizzard blew through. My first flight was canceled. My second flight late. I barely got any sleep at a friend's place before heading out there.
If they'd hired me, and if I had access to catch something easy like "all your passwords are plain text" are one thing. Even if I kicke
Re: (Score:2)
Man, if you casually disclose things like that about your previous employers, don't expect to get many contracts. It is simply unethical. If they made you sign an NDA, then you just violated it, so you could be in real trouble. If they didn't, then they really are complete idiots :-)
Massachusetts Breach Law (Score:5, Informative)
The really kicker is the law requires the firm with a data breach to inform several state agencies AS WELL AS the person who's data has been compromised:
"The law requires that a person or agency that owns or licenses personal information about a resident of the commonwealth notify the attorney general, the director of consumer affairs and business regulation, and the affected resident if it "knows or has reason to know of a breach of security"
Re: (Score:3, Interesting)
Does anyone go to jail for breaking this law?
That's the only way to really get people to follow it. Look at Sarbanes-Oxley, whether you think it's efficient use of documentation, the risk of jail for top executives got them serious about covering their asses.
Corporations are perfectly willing to pay fines, since fines don't generally affect executive compensation.
Re: (Score:2)
Password safes (Score:5, Informative)
Re: (Score:2)
this is a great idea but also sounds like a PITA,
having to look up a random pw to log into a site.
you could 'generate' a hashed password for each site, and just remember the salt.
that way if your safe got lost or you didn't have access to it you could still derive your password for each site.
eg, password = MD5(siteName + myAwesomeSecretSalt) + charsToMakeItPassPasswordRequirements.
Re: (Score:2)
It's not really a PITA if you usually use one machine, in which case Firefox will remember the password for you after it's entered the first time. You only have to do it each time you change machine or reformat, and the balance of effort vs security seems well worth it. I bet the first thing the person that filched the monster.com username/passwords did was to use the same username (and variations on the real name) plus password to log into Amazon, Ebay, online gambling sites, and anywhere they can spend mo
Re: (Score:2)
good points, but if you do use more than one machine (which frankly, i do)
or don't back up your safe or something, you could be in for some hassle.
(actually i forget passwords on a regular basis and just rely on "forgot password" features)
i'm not sure how my idea is insecure - it's a hash of the site name plus a personal master password. i guess if your master password got out though you'd be fux0red, but the same could be said for a password safe.
Viral marketing? (Score:2)
is this more interesting than .. (Score:2)
I called them to remove my account (Score:2)
Right after the first data breach, I called them up and demanded they delete my account and all of my personal data. The fact that there was not an option to do this online, and that I was forced to call them in person, was the first sign that their data management policies were fscked up.
I was put on hold for a long period of time, and when I finally got a real person on the other end of the line, I told them in no uncertain terms that I wanted my account removed. You want to know what their response was
What should end users do? (Score:2)
I assume users of Monster.com should change their password at that site and anywhere else they may have used the same password. What else can users do? Is a password change sufficient?
Phew (Score:2)
Just checked my saved passwords list and the monster one is a one off.
Backups, one time passwords, they're a pain to do but at times like this I'm glad I only have one password to update!
So long, Monster (Score:2)
Combined with the fact that they recently switched to a horrible new UI, this made me login to remove my personal details, change my password, and remove my resume. Most people are using craigslist these days anyway. It's cheaper for employers to post jobs there, and it's a better run site in general (clean UI, good security, etc.). I also left my Yahoo resume up, because that site's not too bad, and I know I get a few hits off it.
Change passwords (Score:2)
So to anyone who reuses passwords over & over again on different websites, this is a good reminder of the security risk you are taking.
If you may have used that password on other websites, now is a good time to change them.
Just think of the number of people who used the same password for their e-mail account as they used for their monster account.
Re:um (Score:5, Insightful)
You don't think they make their money from posting jobs do you?
Re:um (Score:4, Informative)
Actually, they make most of their money through large contracts from companies that post lots of jobs. Fidelity was their first large one, or so I heard before I was asked to come aboard, and was the reason they had ANY QA at all (see below) in the beginning.
TMP worldwide is the parent company of Fidelity and is (or was) one of the largest temp firms in the world. They created Monster so they could find recruits for their own clients - that was fairly well known at the time.
Now I suspect they make the vast majority of their revenue through advertising revenue. Ever go on the site and see all the advertising features? "In your face" hardly begins to describe it.
Re: (Score:2)
er, I meant "Now I suspect they make the vast majority of their revenue on smaller accounts through advertising revenue."
Re: (Score:2, Informative)
WTF are you on about?!?!? TMP has NEVER been the parent company of fidelity and has never had a damn thing to do with anything fidelity does EXCEPT have monster run their careers site.
TMP is the parent company of monster, renaming themselves monster worldwide or something some years back when the dotcom shtf. TMP was the temporary labor division and monster was the online division.
Your facts are fuct for someone claiming to 'be aboard' either fidelity or monster, so much for knowing the background of the co
Re: (Score:2)
Re-read my post. TMP Worldwide is the parent company of Monster. Sorry about the typo as I was typing. Read my original post and don't post AC if you really want to dicker over a typo. Excuse me for making a mistake when writing the post. If you had read for context you would have figured out I made a mistake, so whatevever. I know, I know, I've been trolled by an anonymous coward. :-p
Re: (Score:2)
I found my current job through monstor 5 years ago.
Seems to be mainly juck jobs now (like how to be my own boss and how to make money on ebay.)
Re: (Score:3, Informative)
Why the hell is a job search site collecting birth date, gender, and ethnicity information?
Most online applications have the optional equal opportunity information fields. Monster offers a way to auto submit this information. I'm not sure about the DOB, but this additional information is optional on Monster.
--
So who is hotter? Ali or Ali's Sister?
Re: (Score:3, Interesting)
I put african american for my race on a resume. I received a phone call, and did a quick interview. At the end of the interview, they were excited for me to come in and meet with them. When they discovered I was white, they said they already had plenty qualified white applicants.
Equal opportunity = legal racism. I wonder if I can have my race legally changed, heck if you can do it with gender...
Re:um (Score:5, Insightful)
Congratulations. You gave them grounds to not employ you based on the fact that you falsified information on a resume.
I don't disagree with your primary point entirely, but for goodness sake if you think that the result is sufficient evidence to prove discrimination, by all means file a lawsuit.
Telling Slashdot isn't going to help.
Re: (Score:2)
You cannot sue for discrimination because you are too young, or too white. Sorry, this is America, and we don't do equal rights.
Re: (Score:2)
So the employe can know the age and gender of their workers? Ethnicity is somewhat less clear but there is valid purposes such as need to know one language or work with people of said ethnicity and so on.
Re: (Score:3, Informative)
Re:um (Score:5, Interesting)
Then why don't they file it after the fact that they've hired the qualified persons? They don't need to know that data beforehand.
Re: (Score:2)
Wow... I'm guessing that AC hasn't filled out many applications... and I admit that I've only seen rare few applications ask about ethnicity... but otherwise, age, gender... two standards from my experience. Why would a job site care about Birthdate, Gender, and Race? Because EMPLOYERS care about Birthdates, Gender, and Race. Employers would like to know roughly how old their potential new employees will be, they like to know if they will be hiring a girl (for the day shift) or a guy (for the overnight t
Re: (Score:3, Informative)
Employers would like to know roughly how old their potential new employees will be,
Except under US law, it's illegal to ask an applicant's age. Now I know age can be figured from other sources - dates of school and college graduation, etc. - but I also know the anti-discrimination laws are totally being flaunted by online job sites. Many larger organizations have their own online applications and they claim to be administered by a third party, who will ask the birthdate for the purpose of conducting a background check.
They are breaking the law plain and simple.
Re: (Score:2)
You really sure they actually deleted it?
I've had pretty poor results with requests to delete my account information in the past with various online entities. Buy.com, for example, never deletes anything...I am still getting spammed by them to four disabled accounts years after they were supposedly gone.
Re: (Score:2)
If they had to pay a dollar for every byte of data stolen, would that make these goofballs more cautious?
Re: (Score:2)
Re:Deleted my account. (Score:5, Informative)
Log in, delete your resumes and cover letters, change your password to some random crap. Then, go to the preferences home page and there is a "cancel my account" option. Leave them a nice note explaining how the deserve to go out of business and where or where could they find a security person with a clue about hashed password storage.
Re: (Score:3, Insightful)
Really? To e-commerce types, valid email addresses are like gold dust. Without them, you'll have a tough time launching your next site and getting its popularity built before your competitors do. With them, you can launch that site, spam all your existing customer with a thinly veiled "special offer" (note the "special" part which bypasses all "do not contact me" checkboxes), and you're in business.
Re: (Score:2, Interesting)
Your analogy is completely flawed. If someone gave me an item to hold onto for him, and it was stolen when my house was burgled, then yes, I would be (partially) responsible. This would be especially true if I didn't take reasonable steps to protect my home.
If monster.com only had their information stolen, then we'd all just laugh at them and move on. But instead, through incompetence and laziness,
Re: (Score:2)
Re: (Score:2)
I hope you meant "hashed". There is no reason whatsoever for a company to use anything but a one-way hash with a salt for storing passwords.
Re: (Score:2)
I deleted my account so to me that is the safest thing to do.
Re: (Score:2)
I'd try again. I was able to cancel mine using Firefox 3.0.5 with Ubuntu 8.10 KDE 4.1
Re: (Score:2)
Spammers and fishers have my login credentials to Monster.com? They also have my preferred e-mail address?
Do you use a separate username and password for every website you visit? How about the typical monster.com user? How many websites use an e-mail address as a form of authentication (forgot your password? We'll e-mail it to you!)? How many websites do you frequent use your preferred e-mail address as a means of verifying your identity?
Hate to be an alarmist, but this data is a lot more important than jus
Re: (Score:2)
> I am a programmer but by no means a security expert. However, when I store passwords I
> use an irreversible hash with salt. It's not hard to implement (1 days work). How can
> any site as big as monster not be doing this?
But then you can't offer to email the user her password when she forgets it.