WPF Consumer Alert: Another
Monster.com Data Breach
Job seekers who have safety concerns such as law enforcement professionals,
victims of domestic violence, and other victims of crimes such as stalking
may be especially at risk
January 27, 2009
Monster.com has announced a data breach on its web site. According to
the job site, Monster.com user IDs and passwords, email addresses, names,
phone numbers, and some "basic demographic data" were compromised.
Monster notified victims of the breach through its web site on Friday,
January 23, 2009. It is unclear how many millions of people this notice
impacts, as Monster.com did not give an estimate. In press reports, however,
Monster has admitted that the breach is global, with Asia Pacific and
Eastern Europe being spared.
Job seekers who have safety concerns, such as law enforcement professionals,
victims of domestic violence and other victims of crimes such as stalking,
may be especially at risk. These people have an immediate need to know
if their personal -- and in some cases previously unpublished -- information
may be in the hands of criminals. Other job seekers may also be at risk
of identity theft and other targeting by the criminals. For example, job
seekers may receive highly targeted and convincing phishing emails which
can lead to further mischief.
The data breach at Monster.com highlights just how valuable job seekers'
demographic and contact information is to thieves. This is because job
seekers' information in the hands of thieves can be used like a road map
for criminal ventures, including identity theft, phishing and spamming.
User passwords, which Monster.com says were compromised in this breach,
are especially valuable as they can potentially be used to access other
sites or email accounts, especially if a person regularly uses the same
This is the third major data breach Monster.com has announced. Monster
previously announced a major data security breach in August
2007, then another security breach in November
Current Breach notice from Monster.com:
January 23, 2009
As is the case with many companies that maintain large databases of
information, Monster is the target of illegal attempts to access and
extract information from its database. We recently learned our database
was illegally accessed and certain contact and account data were taken,
including Monster user IDs and passwords, email addresses, names, phone
numbers, and some basic demographic data. The information accessed does
not include resumes. Monster does not generally collect – and
the accessed information does not include - sensitive data such as social
security numbers or personal financial data.
Immediately upon learning about this, Monster initiated an investigation
and took corrective steps. It is important to know the company continually
monitors for any illicit use of information in our database, and so
far, we have not detected the misuse of this information.
In order to help assure the security of your information, you may soon
be required to change your password upon logging onto the site. Please
follow the instructions on the site. We would also recommend you proactively
change your password yourself as an added precaution. We regret any
inconvenience this may cause you, but feel it is important that you
take these preventative measures.
As a further precaution, we want to remind you that an email address
could be used to target “phishing” emails. Monster will
never send an unsolicited email asking you to confirm your username
and password, nor will Monster ask you to download any software, “tool”
or “access agreement” in order to use your Monster account.
Monster’s security page, http://my.monster.com/securitycenter,
provides users with a substantial amount of information about different
types of Internet fraud. We encourage you to review the information
to learn more about what you can do to protect yourself on the Internet.
The protection of your data is a high priority for Monster. Our newly
redesigned Web site has, and will continue to add, safety and security
features to protect your information and we want you to feel confident
We continue to devote significant resources to ensure Monster has appropriate
security controls in place to protect our infrastructure, and while
no company can completely prevent unauthorized access to data, Monster
believes that by reaching out to job seekers, the company can help users
better defend themselves against similar attacks.
We truly value the trust you place in Monster and appreciate the opportunity
to continue to serve as your online career resource.
Senior Vice President, Global Chief Privacy Officer
(For the complete notice, please see <http://help.monster.com/besafe/jobseeker/index.asp>.)
USAJobs.com has a current security notice posted (current as of January
27, 2009). Monster.com did not discuss whether or not the data breach
affected job seekers using the Federal Government's official job web site,
USAJobs.com, which is outsourced to Monster.com. However, the security
notice makes it appear that this is likely the case. <http://www.usajobs.gov/SecurityNotice.asp>
Tips for Monster.com Breach Victims
If you have created a profile at Monster.com with a password, here is
what you need to know:
- If you posted your resume on Monster.com, or even just created an
account on Monster.com, you need to find out whether it was one of the
accounts or profiles that was compromised. Jobseekers should contact
Monster.com directly regarding this issue. <http://my.monster.com/contactus.aspx>.
- Going forward, work to make your job searching efforts as safe as
possible. The World Privacy Forum has published detailed job search
privacy tips, Job Seekers’ Guide to Resumes: Twelve Resume
Posting Truths. Those tips are available here: <http://www.worldprivacyforum.org/resumedatabaseprivacytips.html>.
See also the next heading in this alert for brief tips.
General job search safety and privacy tips in brief
- When you use job sites, limit the contact information you give to
the site, even if that information is already on your resume. When you
create a user profile, consider using a disposable email address, use
a P.O. Box or a PBX address, and consider shortening your name to first
initial plus last name. It is particularly important to use a one-time
only password at any job site. Do not re-use passwords!
- If you have safety concerns or work in a profession where you must
limit exposure of your personal information, you may want to take an
additional step and use either a shelter address/phone number, or another
safe address that does not tie back to your residence whatsoever.
- For disposable, customizable email addresses, we like www.nyms.net,
a pay service available through Anonymizer.com. (The World Privacy Forum
has no financial arrangement or business ties with Anonymizer, however,
we are paying customers of the Nyms service.)
Other articles about this breach:
- AFP <http://tech.yahoo.com/news/afp/20090127/tc_afp/britaincomputercrime>
- Washington Post <http://voices.washingtonpost.com/securityfix/2009/01/monstercom_breach_may_bring_mo.html?wprss=securityfix>
- Bloomberg <http://www.bloomberg.com/apps/news?pid=20601102&sid=aVlh9owPEiAM&refer=uk>
Resources from the FTC:
Other resources on Phishing: