Monster.com waited five days to tell its users about a security breach that resulted in the theft of confidential information from some 1.3 million job seekers, a company executive told Reuters on Thursday.
Hackers broke into the U.S. online recruitment site's password-protected resume library using credentials that Monster Worldwide Inc (MNST) said were stolen from its clients in one of the biggest Internet security breaches in recent memory.
They launched the attack using two servers at a Web-hosting company in Ukraine and a group of personal computers that the hackers controlled after infecting them with a malicious software program known as Infostealer.Monstres, said Patrick Manzo, vice president of compliance and fraud prevention for Monster, in a phone interview.
The company first learned of the problem on August 17, when investigators with Internet security company Symantec Corp (SYMC) told Monster it was under attack, Manzo said.
"In terms of figuring out what the issue was, that was a relatively quick process," he said. "The other issue is you want to make sure exactly what you are dealing with."
His security team spent the weekend investigating, located the rogue servers, and got the Web-hosting company to shut them down some time either late in the evening on August 20, or early in the morning of August 21, he said.
Manzo said that based on Monster's review, the information stolen was limited to names, addresses, phone numbers and e-mail addresses, and no other details, including bank account numbers, were uploaded.
On August 21, Symantec published a report on its Web site that said it had found copies of scam e-mails that the engineers of the attack were using, with the aim of getting information that was more valuable than just the names and contact details of Monster.com users.
Pretending to be sent through Monster.com from job recruiters, the e-mails asked recipients to provide personal financial data, including bank account numbers. They also asked users to click on links that could infect their PCs with malicious software.
Their ultimate goal in taking the data from Monster.com was to gain enough personal information to lower the guards of target victims when they read the e-mails, said Patrick Martin, a senior product manager with Symantec's response team in Austin, Texas, which first identified the attack.
"It gives these spam e-mails just a little bit of credibility," Martin said. "These guys were trying to get financial information from people."
It wasn't until Wednesday, a day after Symantec issued the August 21 report, that Monster put a notice on its Web site, www.monster.com , warning users they might be the target of e-mail scams.
Monster then announced on Thursday that the details of some 1.3 million job seekers had been stolen. Fewer than 5,000 of those affected are based outside the United States, it said in a statement.
A company spokesman said Monster also posted letters to the 1.3 million affected users on Thursday in case the users were wary of opening e-mail from the company after the breach. He said Monster's database has about 73 million resumes.
The security breach comes at a rough time for the company, which in July reported lower-than-expected quarterly earnings.
Chief Executive Sal Iannuzzi, who took the company's helm in April, said on July 30 that he plans to cut 800 jobs, or 15 percent of Monster's full-time staff, in a bid to improve its financial performance.
Hundreds of thousands of people, mostly in the U.S., have been exposed to the risk of file ransom after the Web site of the world's largest online recruiter was hacked.
Personal details stored on Monster.com, a Web site that lists job seekers and job opportunities, were taken after a raid by hackers who posed as employers to gain access to the site.
Having stolen the information, hackers e-mailed the victims claiming to have infected their computers with a virus and threatening to delete files unless demands for payment were met.
In all, more than 1.6 million entries in Monster's system — belonging to "several hundred thousand" members — were taken after the hackers logged in using the details of employers who routinely scour the site for prospective workers, according to the Silicon Valley security firm Symantec.
The information, which included first and last names, e-mail and home addresses and phone numbers, was then used to send "phishing" e-mails to members, apparently from Monster.com, encouraging them to download a tool known as "Monster Job Seeker."
The tool was in fact a malicious program known as a "Trojan," as in Trojan horse, which encrypted files on the victims' machines, making them inaccessible to the computer owner.
A message was left requesting that money be paid to the attackers before the files — which could include photos and other personal documents — would be decrypted.
"We're still investigating — we don't yet know how this information was obtained, other than that it was downloaded using the login details of legitimate customers of ours," said Patrick W. Manzo, vice president for fraud prevention at Monster.com. "It seems likely it was done over a period of time, because we would have noticed such a vast quantity of details being taken all in one go."
A statement from the company said that it would "take all necessary steps to mitigate the issue, including terminating any account used for illegitimate purposes."
Symantec, which first reported the breach, said that "such a large database of personal information" was "a spammer's dream."
"This remote server held over 1.6 million entries with personal information belonging to several hundred thousand candidates, mainly based in the U.S., who had posted their resumes to the Monster.com Web site," a posting on the Symantec blog said.
Symantec said that the e-mails sent to victims appeared very realistic, carrying the official Monster logo and containing personal information that users had posted on the site in their resumes.
The breach was a new twist on a traditional hack used against corporate databases, security experts said, because the attackers stole log-in details of legitimate users of the database — in this case employers — which in turn granted them access to the vast pool of information it contained.
"We are seeing more and more of this extortion-based threat, and in some cases hackers are demanding victims pay up or face a file being deleted from their machine every half hour," said Graham Cluley, a security expert at Sophos, a British security firm.
Symantec advised users of recruitment sites to limit the personal information they posted, and to use a separate, disposable e-mail address rather than their main personal account. Users who feared they may have been affected were encouraged to contact a security vendor and have their machine examined.
Monster.com, based in New York, claims to the be the world's largest online jobs listing site, with 73 million resumes held globally.