Cyberthieves stole 1.3 million names, Monster says

By Byron Acohido,

SEATTLE — Monster Worldwide (MNST) acknowledged Thursday that intruders swiped sensitive data for at least 1.3 million job seekers from its popular employment website.

The company issued a statement saying it shut down the "rogue server" where the stolen data was being stored and that only names, addresses, phone numbers and e-mail addresses were found. The company declined further comment, saying it is cooperating with law enforcement.

However, security experts say the rogue server was likely just one of dozens used to steal and store data from Monster in an elaborate theft campaign that has been ongoing since May.

There could be many more than 1.3 million Monster patrons whose data have been breached, and there is little stopping the crooks from continuing the attacks, says Robert Sandilands, chief researcher at security firm Authentium.

"It is a very good first step by Monster," Sandilands says. "There will have to be more changes to prevent this from happening again. This was a smaller part of a much bigger operation."

In targeting Monster, intruders sent out e-mail come-ons and pop-up ads pitching job-finding services to get victims to click on a tainted Web link. Clicking on it results in an error message, and turns control of the PC over to the intruder, says Don Jackson, virus researcher at security firm SecureWorks.

Monster has posted detailed precautions at

Infected PCs are being incorporated into "zombie" networks to spread e-mail spam, deliver more infections and collect and store stolen data. Meanwhile, all information typed by the user into the Web browser, including user names and passwords for online accounts, gets collected.

Jackson has tracked down several servers being used to store data collected over time from victims' browser activity, including Social Security numbers and other data. One such storage unit held rich data for 46,000 individuals, he says.

The crooks appear to have used such data to log into a job recruiter's Monster account and order contact information for 1.3 million job candidates. That data, in turn, was used to target known job seekers for e-mail scams touting Monster's services.

The Monster attack has been so successful that security experts expect it to be attempted at other employment websites. For that matter, all websites that collect user profiles, particularly social and business networking and media websites, are susceptible as targets, security experts say.

"The advice to just stay out of the dark corners of the Internet really doesn't hold water any more," says David Cole, director of Symantec Security Response team. "The bad guys are going to legitimate websites and attacking people."