Among security circles, the real controversy is that Monster didn't even bother to notify e-mails that their accounts had been compromised. If John Doe uses the same password at Monster that he uses for his e-mail provider or bank account, then this breach could compromise those accounts, which is why it's always critical that users be notified.
The other controversy is the fact that it was even possible to get the passwords at all. This is basic Website Security 101: Never store the user's password in your system. Ever. They should have been storing a one-way hash of the password, not the password itself, so that if the system is ever compromised, the thieves can only get the password's hash, not the passwords themselves. This has been standard practice since time immemorial (even before the web existed), so the fact that Monster makes this mistake this boggles the mind.
Yikes, Monster was one of my go-to sites. I think I shall remove my profile. For those looking for other job sites, they have a good list of them at www.thecanned.com.
Even more astonishing is the lack of prominence they give to the security warning on their arrival page. It's quite tiny. Do they honestly think that millions of people haven't heard about this scandal? Talk about tip-toeing past the graveyard.
Not just hacked, hacked last week. And six months ago.
Brian Krebs at the Post has the details.
Among security circles, the real controversy is that Monster didn't even bother to notify e-mails that their accounts had been compromised. If John Doe uses the same password at Monster that he uses for his e-mail provider or bank account, then this breach could compromise those accounts, which is why it's always critical that users be notified.
The other controversy is the fact that it was even possible to get the passwords at all. This is basic Website Security 101: Never store the user's password in your system. Ever. They should have been storing a one-way hash of the password, not the password itself, so that if the system is ever compromised, the thieves can only get the password's hash, not the passwords themselves. This has been standard practice since time immemorial (even before the web existed), so the fact that Monster makes this mistake this boggles the mind.
Yikes, Monster was one of my go-to sites. I think I shall remove my profile. For those looking for other job sites, they have a good list of them at www.thecanned.com.
Even more astonishing is the lack of prominence they give to the security warning on their arrival page. It's quite tiny. Do they honestly think that millions of people haven't heard about this scandal? Talk about tip-toeing past the graveyard.
Anonymous Coward is right - this is breathtaking incompetence. I think I would get fired for that.