[Durham INC] Attackers breached the database of Monster.com

[RW Pickle]

This came across the desk this AM from Security Central Newswire. Since
there are a number of grad students in the neighborhoods, they might find
it particulaly informative. As well as anyone who has posted a resume or
career information online.

RWP
27 Beverly

__________________________________________________________________________

Attackers breached the database of Monster.com to siphon account and
contact information belonging to users, the job site has revealed.

The thieves were able to access the database to steal data such as names,
phone numbers, IDs and passwords, email addresses and basic demographic
information. As a result, the company -- which did not reveal how many
victims there were -- said it soon may require users to change their
passwords.

Federal government career site USAJOBS, for which Monster is a technology
provider, also warned users about the breach.

In addition, given the nature of the data stolen, victims should be on the
lookout for phishing attacks that may result, SANS Internet Storm Center
handler Joel Esler warned on the organization's blog.

"In order to help assure the security of your information, you may soon be
required to change your password upon logging onto the site," Monster's
Chief Privacy Officer Patrick Manzo said in a Friday letter to users. "We
would also recommend you proactively change your password yourself as an
added precaution. We regret any inconvenience this may cause you, but feel
it is important you take these preventative measures."

Manzo reminded users that Monster never will send an unsolicited email
requesting users to update their account credentials.

Corey Thomas, vice president of product management at Rapid7, provider of
security advisory services, told SCMagazineUS.com on Monday that hackers
were able to crack Monster's database by obtaining privileged credentials
-- either through social engineering or site compromise.

"Lots of companies make broad assumptions about what users can and can't
do," he said. "They don't look at how secure you are once you get into the
perimeter."

This is not the first time attackers have besieged Monster.com to steal
data. In 2007, they used stolen login credentials to gain access to the
site and then spread a trojan to capture names, email addresses and
telephone numbers of job seekers. A similar attack occurred three months
later.

The recent hijacking comes at a particularly inopportune time for Monster,
when many job hunters are turning to the site to help them find work amid
a flailing economy.

Anti-spam firm AppRiver warned in its 2009 threat forecast report that
cybercriminals likely will place increased focus on sites such as Monster,
LinkedIn and CareerBuilder because "with increased traffic comes an
increase in the amount of personal information shared."

But Thomas said that no matter the state of the economy, sites such as
Monster will be targeted.

"Any site that has massive amounts of confidential information is going to
get used [in attacks]," he said.