Network News

X My Profile
View More Activity

USAJobs.gov Hit By Attack On Monster.com

USAJobs, the official job search site for the federal government, said Wednesday that more than 146,000 users had their account information stolen as a result of an attack on job search giant Monster.com earlier this month.

In mid August, attackers compromised Monster.com accounts gaining access to the company's resume database. With the help of a Trojan horse program targeted at Monster.com users, the attackers made off with the name, address, telephone number, and email address of at least 46,000 Monster.com users. Anti-virus giant Symantec later stated that as many as 1.6 million people may have had their information stolen in the attacks, which used e-mails that addressed recipients by their real names.

A snapshot of the letter Monster.com mailed to users affected by the attack.

Turns out that Monster Worldwide is the technology provider for USAJobs, which is run by the U.S. Office of Personnel Management. Peter Graves, an OPM spokesperson, said 146,000 USAJobs users were affected by the Monster.com attacks. Graves said OPM has received assurances from Monster that Social Security numbers were not compromised.

OPM is in the latter stages of alerting all two million USAJobs.gov users to be on the lookout for phishing scams that might try to take advantage of the stolen data to make their scam e-mails appear more legitimate. Graves said the first signs of the attack surfaced in July, after the organization received a complaint from a USAJobs user.

USAJobs users who receive a suspicious e-mail regarding a search are advised to forward it with the full header information to mayday@fedjobs.gov.

While it's nice to hear that Social Security numbers were not compromised in this attack, it's important to note that even an attack that compromises only names and e-mail addresses can be extremely useful for attackers in future scams. In April, Security Fix wrote about a highly successful phishing attack against Indiana University employees that was later determined to have been aided by a previous attack in which scammers made off with an e-mail address list of some 24,000 IU students and faculty. That attack netted up to 80 victims (while most phishing scams are spammed out to many thousands or millions of people, experts say it is unusual for scammers to haul in more than a few dozen victims).

By Brian Krebs  |  August 30, 2007; 3:50 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Porn & Spyware Found on Govt. and School Sites
Next: Storm Worm Dwarfs World's Top Supercomputers

Comments

I have been complaining to USAJOBS since March 2007 about the large volume of spam e-mails I get from "monster.com", and they never did anything except deny it was possible. Mind you the e-mail address I have at yahoo.com is strictly for usajobs job-searches and I have never visited or posted on monster.com, let alone provided them with my first and last name etc. Thanks for bringing this to public view.

Posted by: Michelle | August 31, 2007 8:22 AM | Report abuse

I didn't receive the letter, which I guess means that my data was probably not compromised. I did however receive an email. The thing that strikes me about both the letter reproduced above and the email is that nowhere has anybody said "we're sorry." There's a whole bunch of crap at the end of the email telling me how to recognize and avoid phishing, which has the subtle effect of blaming the user for the compromise.

The email also states "The Company has determined that this incident is not the first time Monster's database has been the target of criminal activity." Hmmmm, maybe something should have been done to tighten up security THE FIRST TIME then?

I'm not sure, maybe I should remove my information completely from Monster - but of course who knows how much they'll retain anyway? I could try HotJobs, but that proved to be an open door to spammers the last time.

Posted by: Job Seeker | August 31, 2007 9:27 AM | Report abuse

I was unaware of this until I received an e-mail telling me about this. I have received many scam e-mails and was wondering how they got my information. I did go to the site for www.spamcop.com/help with headers/ and had a pop up that said this site may be a phony. I don't know where to turn next. I guess I will get rid of my e-mail account and start all over.

Posted by: Glenna Roseberry | August 31, 2007 2:03 PM | Report abuse

I was unaware of this until I received an e-mail telling me about this. I have received many scam e-mails and was wondering how they got my information. I did go to the site for www.spamcop.com/help with headers/ and had a pop up that said this site may be a phony. I don't know where to turn next. I guess I will get rid of my e-mail account and start all over.

Posted by: Glenna | August 31, 2007 2:04 PM | Report abuse

I don't understand why OPM/USAJOBS insists on collecting SSNs in the first place. They state in their FAQs that this is because it allows them to differentiate one applicant from another.

Companies like Google, Microsoft, etc receive thousands of resumes every day. Yet somehow they are able to figure out that John H. Smith from Carson City, NV is not the same as John D. Smith in Albany, NY.

Sure, having an SSN on file makes it slightly more convenient for them, but it puts the financial security of every user in jeopardy.


Also, had I known that USAJOBS has outsourced everything to Monster.com, I never would have applied in the first place.

I am never applying for a federal job again, and I urge everyone to stop using USAJOBS until they justify collecting SSNs.

Posted by: GF | August 31, 2007 2:59 PM | Report abuse

bk,

... or maybe I was hanging out at gilbert.az.com. You'll never know.

Posted by: GTexas | August 31, 2007 5:36 PM | Report abuse

This sucks. I got the email from usajobs, but haven't seen any increase in spam yet.

The biggest worry should be that some Foreign Intelligence Service gets a hold of the data and uses it to target SES grades or occupational series 0132 (your intelligence people). While the resumes and data are all UNCLASSIFIED, it would still save an FIS a lot of time and effort.

Posted by: Fed Jobs User | September 1, 2007 11:44 AM | Report abuse

GD- Ah, that explains everything!

Posted by: Bk | September 1, 2007 3:50 PM | Report abuse

GF,

You are so absolutely correct. How many data security breaches will it require before the sanctity of our private information is protected.

Posted by: Mick | September 4, 2007 12:31 PM | Report abuse

What I'm wondering is... if Monster.com and USA jobs KNEW about the theft in mid-August, why are we finding out about it at the beginning of September?? Warnings are not any good if you get them after the fact!!

Too little, too late!!

.. and .. how do they KNOW that our SSN's were NOT compromised??

Posted by: Melissa | September 4, 2007 8:36 PM | Report abuse

I can't wait until the entire Federal Civil Service operations is converted to private industries. The private section performs such outstanding works.(at making monies)

Posted by: tropedoabad | September 5, 2007 12:21 PM | Report abuse

This sucks. Those of us who have accounts on USAJOBS are victim, and I never got any notification, not even notice of the cheesy mayday@fedjobs.gov address to use for the phishing. I found it in Google. Monster is a contractor, a private entity that works in lieu of govt. employees performing this function. This did not happen when it was controlled by OPM regional service centers in house. So whatever! to the private sector comments. Just fix the stinkin' problem already and acknowledge it!

Posted by: JD | December 10, 2007 12:35 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company