Monster Worldwide Inc. said Friday that criminals broke into its database and stole Monster.com user IDs and passwords, email addresses, names and phone numbers.
To get security news and tips delivered to your inbox,
Resumes were not among the information stolen, Patrick Manzo, senior vice president and global chief privacy officer at the New York-based company, wrote in a notice posted on the Monster website. Sensitive data such as Social Security numbers, which the company doesn't generally collect, also were not accessed, he wrote. Some demographic data, however, was taken. The company didn't specify how many records were stolen.
"Immediately upon learning about this, Monster initiated an investigation and took corrective steps," Manzo wrote. "It is important to know the company continually monitors for any illicit use of information in our database, and so far, we have not detected the misuse of this information."
Security Wire Weekly: Heartland data security breach: In this podcast, Gartner Analayst Avivah Litan talks about the Heartland data breach. Also, a discussion with Ernst & Young's Sagi Leizerov on data privacy in the retail industry.
In the wake of the breach, the company advised users of its job site to change their passwords, and warned that email addresses could be used in phishing scams.
The U.S. federal government's website, USAJOB, which is hosted by Monster, was also affected by the theft and warned its users in a USAJOB security notice.
Randall Gamby, an independent information security analyst based in New York, said the data stolen in the Monster breach can be used by cybercriminals to uncover other personal details and to create targeted phishing attacks.
"Criminals are looking for information that makes people comfortable opening an unsolicited email," he said. "Personally identifiable information isn't just credit cards and financial data … I foresee a point in time where any information that's unique to an individual will have to be protected, just like Social Security numbers."
And while Monster noted that it hasn't found any evidence that the data has been misused, "the reality is that most criminals sit on the information until everything has cooled down," Gamby said.
The breach comes less than two years after Monster warned users that intruders broke into Monster's database and stole information.
Randy Abrams, director of technical education at ESET LLC, a security software supplier with U.S. headquarters in San Diego, Calif., said Monster needs to improve its security but added that it probably is attacked more than other companies.
Monster.com is a "fat, juicy target" for cybercriminals because it combines fairly valuable personal information with a user base that's desperate for employment, he said. "You have some great victims for the taking," he said.
To address what's been a repeated problem, the company needs to consider additional security layers such as multifactor authentication for employee database access, Abrams said. Users also can help protect themselves by following security practices such as changing passwords frequently and not using the same passwords for email accounts as they do for websites such as Monster, he added.