Monster.com and USAJobs.gov victim of a serious hacking attack

(27/01/2009)

Users of careers website Monster.com and USAJobs.gov, the official job site of the US Federal Government, should change their passwords following news that both sites have been the victim of a serious hacking attack which has compromised usernames and passwords.

Monster USAJobs have published security alerts to their customers warning of a serious hacking attack: Monster has published a warning for its users, advising them to change their passwords. A similar alert has appeared on the USAJobs.gov website, whose database is run by Monster.

Furthermore, as research has discovered that 41 percent of people use the same password for every website they access, many Monster and USAJobs users are likely to be at risk of their accounts on other websites are at risk of being hacked.

According to a warning published by Monster, other data stolen included users' email addresses, names, phone numbers and some demographic data. The incident follows a similar attack on both sites 18 months ago when hackers used the Monstres Trojan horse to steal details of jobseekers via recruiter accounts. That hack was unsurprisingly followed by a widespread phishing campaign.

Although the warnings are keen to emphasis what information has not been breached during the attack (for instance, social security numbers), it is important to understand the serious risks that Monster and USAJobs customers may be placed in because of this incident.

One very real risk is that hackers will use the email addresses and personal information they have received to mount a realistic phishing campaign, attempting to gather more sensitive information about victims. Phishing emails which attempt to look more legitimate by using the recipient’s real name and other personal information (such as user id, phone number or location) are always more successful at social engineering further details that could be used for indentity theft out of people.

That means that if hackers have managed to extract your Monster.com or USAJobs.gov password in this attack, they might be able to use it to break into your email accounts, or the likes of eBay, PayPal, Amazon, and indeed any other website that you have used the same password for.

So, if you use Monster.com or USAJobs.gov you should change your password now. Choose a sensible password that is not a dictionary word and that is hard to guess. And then change your passwords at any other site where you might be using the same password. Make sure, of course, that it’s not the same password as the one you are using at Monster - you don’t want to make that mistake again.

"Customers of both Monster and USAJobs have been placed at serious risk because of this attack," said Graham Cluley, senior technology consultant at Sophos. "One very real risk is that the hackers will use the email addresses and personal information they have stolen to mount a very realistic phishing campaign to gather more sensitive information from the victims. But, that's just the tip of the iceberg - since so many people use the same password for every website, there's a good chance the cybercriminals will be able access users' bank accounts and other sites."

According to media reports, Monster is not planning to warn its users via email about the security breach, but instead posted an advisory on its website.

"There will be a few raised eyebrows about how Monster is choosing to inform its members of this serious security breach. As the company's database was hacked in what appears to have been a similar attack in 2007, customer confidence in the company may be damaged following this latest incident," continued Cluley.

Related topics:  Authentication and identity management   Hacking and intrusion prevention   Internet and Web security   Virus, Worm, Email security, spyware and malware 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources