Monster says the next time you log in, you'll be asked to change your password. In the meantime, we say if you use the same password on Monster that you use elsewhere, STOP DOING THAT and
1. Change your passwords everywhere;
2. Use a different password for each site (or at *least* for your most important accounts).
Breach announcement [Monster.com]
"Monster.com database hacked again" [TechUrbia]
So we can assume they're probably using Postgres as their backend, right? I mean...what else would you use? They're no where big enough to bring in Oracle.
This also means they have backups of their database, done every night/week by pgdump. pgdump will deposit the entire contents of your database in plain text.
This, plus their lack of hashing in passwords, means that sitting all over their backups are are simple text passwords that can be grepped for.
I'd even go so far as to guess THAT'S what was hacked. Someone just snagged a backup of the database dump.
Rock on, lazy developers! And shame on a project manager that didn't make "basic login security" a higher priority than "constantly pester users via email"
]]>Just as many public companies time the release of negative earnings reports to coincide with the end of the trading day on Friday, I am not surprised that disclosure of this particular breach was made on a Friday.
This breach is yet another reminder of why consumers must spend a few minutes every day reviewing online the activity in their bank and credit card accounts and feeling completely comfortable that every transaction they see is correct.
All the best,
Adam K. Levin
Chairman and Co-Founder
Identity Theft 911
@Wormfather is Wormfather: Word. That's why I very rarely if EVER put my real information our on the internets. I have a monster account, but I attach and send the resume myself and it doesn't live on their server. I don't even think the email I use for work related stuff has my real name attached.
It's best to be anonymous on the nets.
]]>One thing that worries me, is when you login from the main page, some sort of AJAX-y popup appears in the page, with no indication that you are using an SSL secured connection. This could mean that you are sending your password in clear text to them.
If a server of theirs is still compromised and they do not know it, the attacker could be sniffing passwords.
]]>On an unrelated note, this much talk about salting hash is making me jones for a breakfast skillet right about now.
]]>When I read about your most recent privacy breach, I realized Monster.com is not a company I should do business with. The fact that your system stores users' passwords in clear text is shameful, if not legally actionable. So, since your company appears to have no regard for the privacy of my personal information, I would like to cancel my account immediately.
]]>@Framling: And then lets hope they don't use a hash algorithm that has a readily available reverse lookup database.
]]>@George Gdovin: HAH!
But you're right, they're going to get people who are employed but looking to change jobs and people who simply never bothered closing their account.
Hopefully, the hacker is only looking to spam people.
]]>Why is a job search site called 'monster.com'?
That's like calling a restaurant review site 'werewolf.com'
I'd done the same thing - it's a long time since my resume's been available on the site, but I've just gone and cancelled my account altogether, complete with a message expressing my disgust at the lack of communication. Monster have never seemed to have any trouble spamming me on a regular basis, so I can't see why an email warning about this serious breach wasn't deemed necessary.
Way to not give a shit, Monster.
]]>It helps to generate insanely difficult passwords for each and every login you need. You only need to memorize 1 password. The browser plugin does the rest.
]]>I haven't touched my Monster account in forever. I canceled my account and noted why.
]]>I finally gave up and just canceled my account altogether and told them why in the feedback form when I canceled.
]]>Energy drinks? Wasn't the Pixar Monsters, Inc. fansite hacked?
I'm confused.
]]>Perhaps you're not allowed to used symbols, just letters and numbers?
]]>p.s. I'm working on fixing my credit :)
]]>On a side note... I wasn't prompted to select a new password when I logged into Monster...
]]>I don't work for them or anything like that. I just thought this post seemed like a likely place to give it some free advertising. =)
]]>"...We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data...."
]]>Or it could be that they split them up in some half-assed way of reducing database admin overhead.
speculation at this point is really just speculation
]]>Developers are the cause of and solution to all of computing's problems.
/Both a developer AND a network admin
]]>@JGKojak: cables for eye 'sight'....interesting...
]]>@TheKel:
Do "Employers" have a different logon page than "Job Seekers"? If not, it's unlikely that the passwords were stored in different databases.
]]>But the good news is that the quality of their cables hasn't been compromised!
]]>Clear text passwords.
Full of fail.
]]>@JGKojak: Is it the gold plated wires?
]]>@BuddyGuyMontag: NICE REFERENCE!!!
You sir are a dedicated reader.
]]>@fogmaster: Do you know how much info is on your resume.
You get my name, address, phone number, where I work, email address, school I went to and penis size (still reading?).
That's a LARGE piece of the puzzle and it's enough to send me to spam hell with the three prong junk attack phone, email and snail mail.
]]>Weird.
]]>How many times are we going to have to go through this? UGH.
]]>@MacGyver: some people dont live on the internet thus this is not that important. OH no, you got ahold of my resume...
]]>Maybe if they had a REALLY FANCY cable it would prevent their sight from being hacked?
]]>Grr.
]]>I'm going to go change my passwords now.
]]>Xxxxnn.n%nn*nn*nn
Where the X's are letters (and the first one is capitalized) and the n's are all random numbers. So I've got a mix of uppercase, lowercase, 3 different types of punctuation, and 9 numbers, for a password that's 17 characters long. The characters are not a word that could be guessed, and there's nothing in my account that correlates to them. All the numbers are pretty much random and again nothing that correlates to anything in my profile or anything that could be easily guessed (it's not related to my date of birth, my address, my phone number, etc)
Their website claims that this password isn't secure enough and won't let me use it. I've tried about half a dozen variations and since given up because everything I've tried that I consider to be fairly complex is rejected as being too insecure. And nothing on the website states how they determine if a password is strong enough or not. No mention of exactly what is required. I've given up trying to guess what their algorithm is, so I guess I'll keep my old password and hope for the best...
]]>This way you have a separate password for each site, with enough complexity that a hacker can't figure out your password scheme should that password be compromised.
]]>@coren: Monster Cable hacked Monster's website so they would look incompetent and lose money, so Monster Cable could then sue them out of existence and further prove that no one fucks with the word "Monster" without paying the cable folks... they're kinda like the mafia, only whiny and pointless...
]]>Isn't this the 3rd time in the last year or two? There needs to be a penalty or fine placed on companies that have online services compromised more than once....
by the second time you would hope they learned about value in security.
]]>"What was stolen?
This time, just like the attack in 2007, the information stolen was the data of employers, not potential employees (i.e. job seekers). And both hacks were reporting by the same third party company (Symantec)...."
]]>Let's steal a bunch of IDs for people who have no jobs!
Great! Now I can forge my way into the unemployment line.
I know I know, there are probably a large large number of folks in between, etc etc. it was just a funny thought.
]]>@coren: No, this is Monster Mini Golf.
]]>Why do I suddenly have someone calling me every 10 minues to Join Us In Creating Excitement?!?
]]>I don't know why this would be a surprise. Every job posting site that I have ever used has ended up "losing" my email.
Sign up on Careerbuilder, monster, yahoo, whatever and two week later you will get that email telling you that you have been selected to be the next accounts manager for some luxury goods company based in carjackistan. All you need is a computer, some idea where the nearest western union is, and your own bank account!
]]>@dragonfire81: I'll usually come up with some incomprehensible string of crap that can be constructed via a series of hints that will only make sense to me (e.g., "...concatenated with last 4 digitss of XXX's phone number from 1994 to the power of YYY's Birthday, MMDD-format, mod the last 2 letters of ZZZ's middle name in ASCII")
Except a little more oblique.
]]>Lesson #1, Monster: Never store passwords in plaintext. They should be MD5 or SHA1 hashes, preferably salted hashes if you're storing other sensitive data.
]]>The idea behind the hash is that calculating it works only in one-direction: It's easy to convert from password to hash, but extremely difficult to convert from hash to password. When a new user creates their password, we calculate the hash and store THAT. When the user tries to log in again, we take what they enter in the password field, use it to calculate a hash, and compare that to what's in the database. If the two hashes match, the user is allowed in.
The only drawback is that administrators (or users themselves) can't ever "look up" a password... just reset it. But then again, that's a benefit since I don't want anyone with access to a user database (legitimate or otherwise) to see what I used as my password!
]]>Oh, man...so much for that SPORTS MARKETING POSITION TO $90K+ FIRST YEAR job I've been hoping for.
]]>Wait.
Wait a fucking second.
What the FUCK are they doing storing passwords? No. BAD MONSTER.COM.
You store HASHES of passwords. Then, when someone manages to h4x0r your b0x0r, they don't get a whole boatload of passwords!
</Network Security 101>
]]>Monster Cable lost my passwords? Is that why my HDTV keeps showing porn?
]]>I am so glad I filled my account with random information and then closed it... After the first breach less than two years ago!
Hell when that happened, I received a physical letter through the mail alerting me to the breach. It seems now Monster doesn't give a crap about employers keeping updated postings on the site*, let alone the safety of their users' personal information.
* When I tried using Monster during my last job search, I found nothing but outdated listings, employers who would never respond to messages/resumes sent through Monster's contact system, and completely irrelevant or bogus jobs.
]]>Yet despite the fact I have multiple passwords I never seem to forget any of them. It's really not that hard to not use the SAME freakin password over and over.
I wonder if most people truly understand what these data breaches could mean for them.
]]>