IT security and control firm Sophos is advising all users of
careers website Monster.com and USAJobs.gov, the official job site
of the US Federal Government, to change their passwords following
news that both sites have been the victim of a serious hacking
attack which has compromised both and usernames and passwords.
Furthermore, as research has discovered that 41 percent of
people use the same password for every website they access, many
Monster and USAJobs users are likely to be at risk of their
accounts on other websites are at risk of being hacked.
What the Monster.com security
breach teaches us about passwords from
SophosLabs on Vimeo.
According to a warning published by Monster, other data stolen
included users' email addresses, names, phone numbers and some
demographic data. The incident follows a similar attack on both
sites 18 months ago when hackers used the Monstres Trojan horse to
steal details of jobseekers via recruiter accounts. That hack was
unsurprisingly followed by a widespread phishing campaign.
"Customers of both Monster and USAJobs have been placed at
serious risk because of this attack," said Graham Cluley, senior
technology consultant at Sophos. "One very real risk is that the
hackers will use the email addresses and personal information they
have stolen to mount a very realistic phishing campaign to gather
more sensitive information from the victims. But, that's just the
tip of the iceberg - since so many people use the same password for
every website, there's a good chance the cybercriminals will be
able access users' bank accounts and other sites."
Sophos recommends that all users of these sites take steps now
to minimise the risks. This should first include changing your
password for your Monster and/or USAJobs account, as well as for
other websites. Sophos advises that users choose a non-dictionary
word that is hard to guess, and use different passwords for
different websites.
According to media reports, Monster is not planning to warn its
users via email about the security breach, but instead posted an
advisory on its website.
"There will be a few raised eyebrows about how Monster is
choosing to inform its members of this serious security breach. As
the company's database was hacked in what appears to have been a
similar attack in 2007, customer confidence in the company may be
damaged following this latest incident," continued Cluley.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.