$\"user-pic\"$

jrlcopy

Ugh...

Reply

1 replies

$\"user-pic\"$

OwenKlient

January 26, 2009 7:58 PM

Moderate |Flag for review

@jrlcopy: I second that emotion.

Reply

$\"user-pic\"$

dragonfire81

January 26, 2009 7:35 PM

Moderate |Flag for review

I have different passwords for all of my main stuff (email, photosharing sites, facebook and yes, even consumerist).

Yet despite the fact I have multiple passwords I never seem to forget any of them. It's really not that hard to not use the SAME freakin password over and over.

I wonder if most people truly understand what these data breaches could mean for them.

Reply

5 replies

$\"user-pic\"$

madog

January 26, 2009 9:47 PM

Moderate |Flag for review

@dragonfire81: For people looking for some serious password protection, there is an app called 1Password for Mac OS X that interacts with the Keychain app and your browser and can generate random passwords and save them to the keychain. Because it saves it all in an incrypted keychain file, if you lose that file or don't backup to MobileMe then you are screwed, but otherwise it's a pretty cool app that I have yet to test out (because of the backup issue).

I don't work for them or anything like that. I just thought this post seemed like a likely place to give it some free advertising. =)

Reply

$\"user-pic\"$

Hyman Decent

January 27, 2009 5:07 PM

Moderate |Flag for review

@madog: As a Windows user, I rely on KeepPass, which is free and can be installed on a flash drive. There's a version for OS X that was developed by someone other than the creator of KeePass, so it's an unofficial port.

Reply

$\"user-pic\"$

MacGyver

January 26, 2009 8:33 PM

Moderate |Flag for review

@dragonfire81: Try this, come up with a base alphanumeric password like 3lv1s (Elvis) then either prefix or suffix the first few letters of the site name. So your password for Monster would be 3lv1smon or mon3lv1s or even m3lv1son, etc.

This way you have a separate password for each site, with enough complexity that a hacker can't figure out your password scheme should that password be compromised.

Reply

$\"user-pic\"$

fogmaster

January 26, 2009 8:49 PM

Moderate |Flag for review

@MacGyver: some people dont live on the internet thus this is not that important. OH no, you got ahold of my resume...

Reply

$\"user-pic\"$

Wormfather is Wormfather

January 26, 2009 8:53 PM

Moderate |Flag for review

@fogmaster: Do you know how much info is on your resume.

You get my name, address, phone number, where I work, email address, school I went to and penis size (still reading?).

That's a LARGE piece of the puzzle and it's enough to send me to spam hell with the three prong junk attack phone, email and snail mail.

Reply

$\"user-pic\"$

Drowner

January 27, 2009 6:03 PM

Moderate |Flag for review

@Wormfather is Wormfather: Word. That's why I very rarely if EVER put my real information our on the internets. I have a monster account, but I attach and send the resume myself and it doesn't live on their server. I don't even think the email I use for work related stuff has my real name attached.

It's best to be anonymous on the nets.

Reply

$\"user-pic\"$

Framling

January 26, 2009 8:08 PM

Moderate |Flag for review

@dragonfire81: I'll usually come up with some incomprehensible string of crap that can be constructed via a series of hints that will only make sense to me (e.g., \"...concatenated with last 4 digitss of XXX's phone number from 1994 to the power of YYY's Birthday, MMDD-format, mod the last 2 letters of ZZZ's middle name in ASCII\")

Except a little more oblique.

Reply

$\"user-pic\"$

nicemarmot617

January 26, 2009 7:39 PM

Moderate |Flag for review

I have logins and accounts at hundreds of different sites. Literally. I would use different passwords for all of them but then I'd have to write them all down, which would defeat the whole purpose. So instead I use a rotating series of \"nonsense words\" and numbers depending on what type of site it is. Works perfectly well for me!

Reply

2 replies

$\"user-pic\"$

Moosehawk

January 26, 2009 7:43 PM

Moderate |Flag for review

@nicemarmot617: I do the same thing. Different tiers of security level for the site (banks, e-mail, forums, etc) mean different passwords. More secure passwords for sites I want to make sure I don't lose control to. I usually keep some sort of system.

Reply

$\"user-pic\"$

Zeniq

January 26, 2009 8:38 PM

Moderate |Flag for review

@Moosehawk: Me too! Although, I have to think about that when it comes to things like this: If someone got my password for my \"money-stuff\" tier, they would have my password and potential access to all my financial websites. Not a good way to do it, not that I think about it.

I'm going to go change my passwords now.

Reply

$\"user-pic\"$

Zeniq

January 26, 2009 8:39 PM

Moderate |Flag for review

@Zeniq: *now that I think about it.

Grr.

Reply

$\"user-pic\"$

BlackMage is doing the Time Warp agaaaaaaain!!!

January 26, 2009 7:40 PM

Moderate |Flag for review

AGAIN?!

I am so glad I filled my account with random information and then closed it... After the first breach less than two years ago!

Hell when that happened, I received a physical letter through the mail alerting me to the breach. It seems now Monster doesn't give a crap about employers keeping updated postings on the site*, let alone the safety of their users' personal information.

* When I tried using Monster during my last job search, I found nothing but outdated listings, employers who would never respond to messages/resumes sent through Monster's contact system, and completely irrelevant or bogus jobs.

Reply

2 replies

$\"user-pic\"$

BluePlastic

January 26, 2009 11:31 PM

Moderate |Flag for review

@BlackMage is doing the Time Warp agaaaaaaain!!!: I had taken my resume off my Monster account but am not sure if hackers still could have gotten my address. Hmm. I went just now and cancelled my account completely. All I've ever gotten through them is suspicious-looking \"work at home\" e-mails.

Reply

$\"user-pic\"$

MsAnthropy

January 27, 2009 3:34 AM

Moderate |Flag for review

@BluePlastic:

I'd done the same thing - it's a long time since my resume's been available on the site, but I've just gone and cancelled my account altogether, complete with a message expressing my disgust at the lack of communication. Monster have never seemed to have any trouble spamming me on a regular basis, so I can't see why an email warning about this serious breach wasn't deemed necessary.

Way to not give a shit, Monster.

Reply

$\"user-pic\"$

Canino

January 26, 2009 7:46 PM

Moderate |Flag for review

Monster Cable lost my passwords? Is that why my HDTV keeps showing porn?

Reply

4 replies

$\"user-pic\"$

Smashville

January 27, 2009 2:22 AM

Moderate |Flag for review

@Canino: I keep trying to log into the site, but I can't figure out how to play the minigolf.

Reply

$\"user-pic\"$

madog

January 26, 2009 9:49 PM

Moderate |Flag for review

@Canino: Better watch out, you might get sued for using the word monster.

Reply

$\"user-pic\"$

joe18521

January 26, 2009 9:04 PM

Moderate |Flag for review

@Canino:
Why can't they steal my password too?!

Reply

$\"user-pic\"$

AdvocatesDevil

January 26, 2009 8:55 PM

Moderate |Flag for review

@Canino: LOL!!

Reply

$\"user-pic\"$

menty666

January 26, 2009 7:46 PM

Moderate |Flag for review

What I'd like to know is why the password information in the database wasn't encrypted. It's not that hard to do..

Reply

$\"user-pic\"$

Framling

January 26, 2009 7:47 PM

Moderate |Flag for review

Wait.

Wait a fucking second.

What the FUCK are they doing storing passwords? No. BAD MONSTER.COM.

You store HASHES of passwords. Then, when someone manages to h4x0r your b0x0r, they don't get a whole boatload of passwords!

</Network Security 101>

Reply

10 replies

$\"user-pic\"$

MaytagRepairman

January 27, 2009 4:04 PM

Moderate |Flag for review

@Framling: And then lets hope they don't use a hash algorithm that has a readily available reverse lookup database.

Reply

$\"user-pic\"$

wastedlife

January 27, 2009 5:32 PM

Moderate |Flag for review

@MaytagRepairman: This is why salting the hash is important. This way, in order to crack the password, both the salt and the hash algorithm are needed. A unique salt ensures that pre-made databases of hashes cannot be used.

On an unrelated note, this much talk about salting hash is making me jones for a breakfast skillet right about now.

Reply

$\"user-pic\"$

xsmasher

January 26, 2009 9:24 PM

Moderate |Flag for review

@Framling: Is there any indication FROM MONSTER that they were storing passwords? The bit about changing your password for other sites seems to have been tacked on by other authors, who may not know as much about what happened, or why storing hashes is safer.

Reply

$\"user-pic\"$

Anonymous

January 26, 2009 9:44 PM

Moderate |Flag for review

@xsmasher: From Monster.com's website:

\"...We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data....\"

Reply

$\"user-pic\"$

nucwin83

January 26, 2009 8:50 PM

Moderate |Flag for review

@Framling: THIS TIMES 42 TIMES INFINITY.

How many times are we going to have to go through this? UGH.

Reply

$\"user-pic\"$

Oranges w/ Cheese hates what Christmas has become

January 26, 2009 8:39 PM

Moderate |Flag for review

@Framling: Let's hope by \"passwords\" they meant exactly as you stated - the hashes. Not the actual passwords themselves.

Reply

$\"user-pic\"$

EricaJoy

January 26, 2009 9:18 PM

Moderate |Flag for review

@Oranges w/ Cheese: Newp. Clear text.

Clear text passwords.

Full of fail.

Reply

$\"user-pic\"$

Brad

January 29, 2009 12:27 AM

Moderate |Flag for review

@EricaJoy: Let's go ahead and combine this with another piece of awesome.

So we can assume they're probably using Postgres as their backend, right? I mean...what else would you use? They're no where big enough to bring in Oracle.

This also means they have backups of their database, done every night/week by pgdump. pgdump will deposit the entire contents of your database in plain text.

This, plus their lack of hashing in passwords, means that sitting all over their backups are are simple text passwords that can be grepped for.

I'd even go so far as to guess THAT'S what was hacked. Someone just snagged a backup of the database dump.

Rock on, lazy developers! And shame on a project manager that didn't make \"basic login security\" a higher priority than \"constantly pester users via email\"

Reply

$\"user-pic\"$

nucwin83

January 26, 2009 8:55 PM

Moderate |Flag for review

@Oranges w/ Cheese: It's a good question. One thing I like to do is anytime I sign up to a website, I'll almost immediately do a \"forgot password\". If they actually email the password, red flag.

Reply

$\"user-pic\"$

3drage

January 26, 2009 8:06 PM

Moderate |Flag for review

@Framling: It's frightening how incompetent network admins are when it comes to security. It would blow your mind the kind of things auditors find on a regular basis.

Reply

$\"user-pic\"$

StevePJobs

January 26, 2009 7:58 PM

Moderate |Flag for review

@Framling: It took me awhile to realize that, but you're totally right. *Why* are they storing plaintext passwords? This isn't 1994!

Lesson #1, Monster: Never store passwords in plaintext. They should be MD5 or SHA1 hashes, preferably salted hashes if you're storing other sensitive data.

Reply

$\"user-pic\"$

AstroPig7

January 26, 2009 7:50 PM

Moderate |Flag for review

Yet, strangely, I never see postings for security positions at Monster.

Reply

$\"user-pic\"$

Ash78 ain't got time to bleed

January 26, 2009 7:55 PM

Moderate |Flag for review

Oh, man...so much for that SPORTS MARKETING POSITION TO $90K+ FIRST YEAR job I've been hoping for.

Reply

$\"user-pic\"$

Eric Jay

January 26, 2009 7:55 PM

Moderate |Flag for review

It's not just irresponsible that they aren't sending out notices, it's VERY irresponsible of them to even store passwords in their database. It's easy, and much more secure, to store a hash of a password, and not the password itself.

The idea behind the hash is that calculating it works only in one-direction: It's easy to convert from password to hash, but extremely difficult to convert from hash to password. When a new user creates their password, we calculate the hash and store THAT. When the user tries to log in again, we take what they enter in the password field, use it to calculate a hash, and compare that to what's in the database. If the two hashes match, the user is allowed in.

The only drawback is that administrators (or users themselves) can't ever \"look up\" a password... just reset it. But then again, that's a benefit since I don't want anyone with access to a user database (legitimate or otherwise) to see what I used as my password!

Reply

$\"user-pic\"$

JGBrock

January 26, 2009 8:10 PM

Moderate |Flag for review

I don't know why this would be a surprise. Every job posting site that I have ever used has ended up \"losing\" my email.

Sign up on Careerbuilder, monster, yahoo, whatever and two week later you will get that email telling you that you have been selected to be the next accounts manager for some luxury goods company based in carjackistan. All you need is a computer, some idea where the nearest western union is, and your own bank account!

Reply

$\"user-pic\"$

BuddyGuyMontag

January 26, 2009 8:11 PM

Moderate |Flag for review

Why do I suddenly have someone calling me every 10 minues to Join Us In Creating Excitement?!?

Reply

1 replies

$\"user-pic\"$

Wormfather is Wormfather

January 26, 2009 8:57 PM

Moderate |Flag for review

@BuddyGuyMontag: NICE REFERENCE!!!

You sir are a dedicated reader.

Reply

$\"user-pic\"$

coren

January 26, 2009 8:12 PM

Moderate |Flag for review

Why does Monster Cable have my passwords? I am very confused here. I don't think I ever had to log in to Monster Cable.

Reply

4 replies

$\"user-pic\"$

docrice

January 26, 2009 8:32 PM

Moderate |Flag for review

@coren: Monster Cable hacked Monster's website so they would look incompetent and lose money, so Monster Cable could then sue them out of existence and further prove that no one fucks with the word \"Monster\" without paying the cable folks... they're kinda like the mafia, only whiny and pointless...

Reply

$\"user-pic\"$

madog

January 26, 2009 9:53 PM

Moderate |Flag for review

@docrice: But by making Monster.com look incompetent then post hoc ergo propter hoc Monster cables will look like fools as well and end up suing themselves for infringement of stupidity.

Reply

$\"user-pic\"$

Ash78 ain't got time to bleed

January 26, 2009 8:14 PM

Moderate |Flag for review

@coren: No, this is Monster Mini Golf.

Reply

$\"user-pic\"$

Nick1693

January 26, 2009 8:23 PM

Moderate |Flag for review

@Ash78: I thought it was Fenway Park's Green Monster.

Reply

$\"user-pic\"$

George Gdovin

January 26, 2009 8:19 PM

Moderate |Flag for review

I know there are probably quite a few valuable ID's in the lot that was stolen, but it seems kind of stupid...

Let's steal a bunch of IDs for people who have no jobs!
Great! Now I can forge my way into the unemployment line.

I know I know, there are probably a large large number of folks in between, etc etc. it was just a funny thought.

Reply

2 replies

$\"user-pic\"$

Rectilinear Propagation

January 27, 2009 2:10 PM

Moderate |Flag for review

Let's steal a bunch of IDs for people who have no jobs!

@George Gdovin: HAH!
But you're right, they're going to get people who are employed but looking to change jobs and people who simply never bothered closing their account.

Hopefully, the hacker is only looking to spam people.

Reply

$\"user-pic\"$

KyleOrton

January 26, 2009 11:45 PM

Moderate |Flag for review

@George Gdovin: It's the best way to get IDs and PWs for ESPN Fantasy Football.

Reply

$\"user-pic\"$

TheKel

January 26, 2009 8:23 PM

Moderate |Flag for review

According to TechUrbia, it looks like it was not job seekers whose information was stolen:

\"What was stolen?

This time, just like the attack in 2007, the information stolen was the data of employers, not potential employees (i.e. job seekers). And both hacks were reporting by the same third party company (Symantec)....\"

Reply

3 replies

$\"user-pic\"$

HungryTuna

January 26, 2009 9:29 PM

Moderate |Flag for review

@TheKel:

Do \"Employers\" have a different logon page than \"Job Seekers\"? If not, it's unlikely that the passwords were stored in different databases.

Reply

$\"user-pic\"$

wastedlife

January 27, 2009 5:38 PM

Moderate |Flag for review

@HungryTuna: There is a link to a separate page for employers when you go to the main page. That still doesn't necessarily mean that they are using separate databases though.

One thing that worries me, is when you login from the main page, some sort of AJAX-y popup appears in the page, with no indication that you are using an SSL secured connection. This could mean that you are sending your password in clear text to them.

If a server of theirs is still compromised and they do not know it, the attacker could be sniffing passwords.

Reply

$\"user-pic\"$

snowburnt

January 26, 2009 9:37 PM

Moderate |Flag for review

@HungryTuna: Actually, based on how old monster is they may have developed both modules completely separately with no initial design concept of combining the databases.

Or it could be that they split them up in some half-assed way of reducing database admin overhead.

speculation at this point is really just speculation

Reply

$\"user-pic\"$

freelunch

January 26, 2009 8:26 PM

Moderate |Flag for review

Isn't this the 3rd time in the last year or two? There needs to be a penalty or fine placed on companies that have online services compromised more than once....

by the second time you would hope they learned about value in security.

Reply

1 replies

$\"user-pic\"$

Jon Mason

January 26, 2009 8:47 PM

Moderate |Flag for review

@freelunch: Or you know, the old-fashioned way - fire their security guys...

Reply

$\"user-pic\"$

Kishi

January 26, 2009 8:32 PM

Moderate |Flag for review

I heard a rumor that Monster Cable has now sued the hackers, claiming they're the only people allowed to try to screw over companies with Monster in their name.

Reply

$\"user-pic\"$

IphtashuFitz

January 26, 2009 8:37 PM

Moderate |Flag for review

Although I haven't used monster.com in over a year I figured I'd go change my password. My old password was 7 characters long and just a mix of lowercase numbers & letters. So I decide to try to use a password that's something like this:

Xxxxnn.n%nn*nn*nn

Where the X's are letters (and the first one is capitalized) and the n's are all random numbers. So I've got a mix of uppercase, lowercase, 3 different types of punctuation, and 9 numbers, for a password that's 17 characters long. The characters are not a word that could be guessed, and there's nothing in my account that correlates to them. All the numbers are pretty much random and again nothing that correlates to anything in my profile or anything that could be easily guessed (it's not related to my date of birth, my address, my phone number, etc)

Their website claims that this password isn't secure enough and won't let me use it. I've tried about half a dozen variations and since given up because everything I've tried that I consider to be fairly complex is rejected as being too insecure. And nothing on the website states how they determine if a password is strong enough or not. No mention of exactly what is required. I've given up trying to guess what their algorithm is, so I guess I'll keep my old password and hope for the best...

Reply

2 replies

$\"user-pic\"$

SJActress

January 27, 2009 12:05 AM

Moderate |Flag for review

@IphtashuFitz:

Perhaps you're not allowed to used symbols, just letters and numbers?

Reply

$\"user-pic\"$

IphtashuFitz

January 27, 2009 2:03 AM

Moderate |Flag for review

@SJActress: The help that the Monster.com site DID provide just said some general things about how you should use mixed case letters, numbers, and punctuation in your passwords. They also explicitly stated that you can use spaces so that you can use an easy to remember phrase. Whatever the case, their password change form and their documentation wasn't very user friendly. I seriously doubt I'm the only one who ran into problems changing their password.

I finally gave up and just canceled my account altogether and told them why in the feedback form when I canceled.

Reply

$\"user-pic\"$

Oranges w/ Cheese hates what Christmas has become

January 26, 2009 8:38 PM

Moderate |Flag for review

Hopefully their database managers at least used some sort of encoding so only my spam-worthy information is getting circulated around the net at this moment.
Most of my important sites (email, bank, ebay, paypal) use randomly generated passwords anyway so I'm safe there.

Reply

$\"user-pic\"$

JGKojak

January 26, 2009 8:46 PM

Moderate |Flag for review

Maybe if they had a REALLY FANCY cable it would prevent their sight from being hacked?

Reply

2 replies

$\"user-pic\"$

ceez

January 26, 2009 9:30 PM

Moderate |Flag for review

@JGKojak: cables for eye 'sight'....interesting...

Reply

$\"user-pic\"$

Wormfather is Wormfather

January 26, 2009 8:59 PM

Moderate |Flag for review

@JGKojak: Is it the gold plated wires?

Reply

$\"user-pic\"$

invisiblenemies

January 26, 2009 8:51 PM

Moderate |Flag for review

I didn't know I needed a password to buy Monster energy drinks.

Weird.

Reply

1 replies

$\"user-pic\"$

SJActress

January 27, 2009 12:06 AM

Moderate |Flag for review

@invisiblenemies:

Energy drinks? Wasn't the Pixar Monsters, Inc. fansite hacked?

I'm confused.

Reply

$\"user-pic\"$

chucklebuck

January 26, 2009 8:54 PM

Moderate |Flag for review

If you delete your account (like I just did), they ask you for the reason before the final deletion. I took the time to tell them that it was because while I know that data breaches can happen, the fact that they stored passwords in plain text and thus made the acquired data more usable was the reason I was deleting. Maybe enough people telling them so will get them to rethink at least that aspect of their security practices.

Reply

2 replies

$\"user-pic\"$

carpenter115

January 27, 2009 3:51 PM

Moderate |Flag for review

@chucklebuck:
Did the same here.
\"Just learned from a third-party site that Monsters databases were hacked....yet, Monster hasn't seen the need to let members know...are you guys for real? I never got any offers other than \"work at home for $99/mo\"; but I still remained just in case...now, to find out that my information may have been comprimised, and not one bit of effort has been made to notify me, has left me with such a negative view of this site that I will make sure that everyone I know (and consumer type sites) will know\"

Reply

$\"user-pic\"$

kathyl

January 27, 2009 1:57 AM

Moderate |Flag for review

@chucklebuck: I did exactly the same thing, cancel and let them know exactly what had caused me to do it. I hope you're right, and that if enough of us point out why we're abandoning the site they'll get a clue.

Reply

$\"user-pic\"$

brettbee

January 26, 2009 9:18 PM

Moderate |Flag for review

I have this vague recollection of a phishing e-mail relating to monster.com about a week or so ago. Could it have actually worked?!?

Reply

$\"user-pic\"$

Borax-Johnson

January 26, 2009 9:23 PM

Moderate |Flag for review

But the good news is that the quality of their cables hasn't been compromised!

Reply

$\"user-pic\"$

CFinWV

January 26, 2009 9:27 PM

Moderate |Flag for review

FYI we got an email about this at work because apparently monster.com and usajobs (the federal government's online job listings) are linked. So if you have an account with USAjobs you could be affected.

Reply

$\"user-pic\"$

snowburnt

January 26, 2009 9:31 PM

Moderate |Flag for review

@Framling: @3drage: Whoa now! It's not the network admins fault, it's the Developers.

Developers are the cause of and solution to all of computing's problems.

/Both a developer AND a network admin

Reply

1 replies

$\"user-pic\"$

chris_d

January 26, 2009 9:42 PM

Moderate |Flag for review

@snowburnt:
Developers, developers, developers, developers!
developers,developers,developers,developers!
developers,developers,developers,developers!
etc.

Reply

$\"user-pic\"$

Gospel X

January 26, 2009 9:37 PM

Moderate |Flag for review

Better yet, DON'T use Monster. On the applicant end of things, it's absolutely horrible. You can only make one resume visible at a time, and Monster will weed out your application for the employers. I recently applied for a job for which I was short the appropriate experience by a couple of years, and I received a message with \"DOES NOT QUALIFY\" in the subject line. When I asked about it, they said that it's Monster's system at work. (Bad on that employer for letting it get by, if it was indeed Monster's words.) Sure, employers can pay for that sort of help, but why the hell would I want to use a service that may make the time I spent setting up an account and writing cover letters a total waste?

Reply

$\"user-pic\"$

SanDiegoDude

January 26, 2009 10:51 PM

Moderate |Flag for review

Surprisingly, I got my current job through Monster... all the same, all my info on it was old (even my old job search email which has remained dusty and unused for 3 years and lol have no clue what the password is to it now) Honestly though, what dumbass dev is storing clear text PW's? Seriously, in every single class where I had to set up any type of authentication, (even MS Access!!) we students were always told for security's sake to use one way encryption.

On a side note... I wasn't prompted to select a new password when I logged into Monster...

Reply

$\"user-pic\"$

SexualElf

January 26, 2009 11:21 PM

Moderate |Flag for review

The ONE teeny tiny upside to my embarrassingly horrible credit is that when I hear about these breaches, I know there's literally NOTHING that can be done with my information. I can't even get a very very high APR credit card. Not even a store cardSad and awesome, yes? :)

p.s. I'm working on fixing my credit :)

Reply

$\"user-pic\"$

Jack Doyle

January 26, 2009 11:42 PM

Moderate |Flag for review

Why would they not encrypt passwords in the database?

Reply

$\"user-pic\"$

SableHemlock

January 27, 2009 2:11 AM

Moderate |Flag for review

Man, I don't even remember what my monster.com password is. Good thing I started using random passwords that hard to guess.

Reply

$\"user-pic\"$

LostAngeles

January 27, 2009 2:55 AM

Moderate |Flag for review

Peachy.

I haven't touched my Monster account in forever. I canceled my account and noted why.

Reply

$\"user-pic\"$

ironchef

January 27, 2009 3:01 AM

Moderate |Flag for review

I HIGHLY recommend 1Password

[agilewebsolutions.com]

It helps to generate insanely difficult passwords for each and every login you need. You only need to memorize 1 password. The browser plugin does the rest.

Reply

1 replies

$\"user-pic\"$

ironchef

January 27, 2009 3:01 AM

Moderate |Flag for review

@ironchef: Plus it protects you against keylogger hacks and also syncs with your iphone.

Reply

$\"user-pic\"$

FuryOfFirestorm

January 27, 2009 8:06 AM

Moderate |Flag for review

Why is a job search site called 'monster.com'?

That's like calling a restaurant review site 'werewolf.com'

Reply

$\"user-pic\"$

ToddBradley

January 27, 2009 4:27 PM

Moderate |Flag for review

Did anyone else notice that Monster.com's website displays the \"TRUSTe Certified Privacy\" badge? Is the TRUSTe certification a sham? If not, how could they certify a company that stores clear text passwords in their DB? Either TRUSTe isn't doing what it's supposed to do (instill trust in the public, like me) or Monster.com should have their certification revoked.

Reply

$\"user-pic\"$

darkryd

January 27, 2009 4:33 PM

Moderate |Flag for review

People still use Monster? Every time I was on there the only job listings were spam.

Reply

$\"user-pic\"$

ToddBradley

January 27, 2009 4:36 PM

Moderate |Flag for review

I just canceled my membership, too. Here's the reason I left them:

When I read about your most recent privacy breach, I realized Monster.com is not a company I should do business with. The fact that your system stores users' passwords in clear text is shameful, if not legally actionable. So, since your company appears to have no regard for the privacy of my personal information, I would like to cancel my account immediately.

Reply

$\"user-pic\"$

Anonymous

January 27, 2009 11:01 PM

Moderate |Flag for review

The monster.com breach is but another confirmation that the level of hacker sophistication continues to evolve and that we must never underestimate their ingenuity or capacity for stealth. Unfortunately, I anticipate that this type of criminal activity will become even more prevalent during this period of economic turmoil. Therefore, it is imperative that business, the Obama Administration and the new Congress keep privacy, security and identity theft issues on the front burner.

Just as many public companies time the release of negative earnings reports to coincide with the end of the trading day on Friday, I am not surprised that disclosure of this particular breach was made on a Friday.

This breach is yet another reminder of why consumers must spend a few minutes every day reviewing online the activity in their bank and credit card accounts and feeling completely comfortable that every transaction they see is correct.

All the best,

Adam K. Levin
Chairman and Co-Founder
Identity Theft 911

Reply

$\"user-pic\"$

Tomas Boman

January 28, 2009 8:52 PM

Moderate |Flag for review

I may be a little partial, being the principal architect of myOneLogin and all. But, as part of a \"dogfooding\" effort, we were instructed to use our own secure-single-signon product for our personal usage. And it didn't take me long to ask myself how I could have managed to live without www.myonelogin.com. I don't want to beat my own drum, but I think this is the future of password management. It didn't just make it easier for me to login to my various online accounts, but also added security such as automatic password changes, certificate authentication and other strong authentication benefits.

Reply