Monster.com was attacked again and their database breached.  A similar incident occurred in 2007.  Back then, the company said they would make the site more secure and they would take security much more seriously.  Their new and improved security was breached a few months later, proving that security appears to be just lip service at Monster.com.

“This remote server held over 1.6 million entries with personal information belonging to several hundred thousands of candidates, mainly based in the US, who had posted their resumes to the Monster.com website,” reported Symantec.

Symantec said it had seen reports of phishing e-mails sent out to Monster.com users which were “very realistic” and contained “personal information of the victims”.

The e-mail encouraged users to download a Monster Job Seeker Tool, which was in fact a program that encrypted files in their computer and left a ransom note demanding money for their decryption.

The program used to access Monster.com user data was a Trojan, which are commonly used to gain access to bank details, usernames and passwords.

Monster.com will also not be sending out emails to users to know of the breach, despite the fact that this is illegal in most states.  Instead, there is a small security update on the site’s main page.  It’s also easy to miss.

Though the company is offering help, there’s little to be done by users who don’t keep their software up to date and IT administrators who haven’t kept up with the latest reports of attacks or tried to actually make the site more secure.

One major way they could have made the site more secure is by using simple password security.  If you happen to use the account on a public terminal and forget to log out, anyone can go back into your account and change your password to a new one.  There is no prompt for you to type in your old password before creating a new one.  Passwords are also not encrypted.  These are the basics of security and Monster.com continues to fail at them miserably.

My advice is to go and log into your account, if you have one.  Delete your resume and cover letter.  Then, change your password to some random alpha-numeric string.  Then, cancel your account and explain to Monster.com that three breaches of security in less than two years is completely unacceptable.  Also explain that not notifying its customers of the breach, not taking responsibility, and, in general, the overall decline in usability are the reasons they have lost you as a customer.  Incompetence and a lack of integrity are what got Monster.com into this mess.  It’s the reason why you should be leaving Monster.com as well.