Wednesday, 28 January 2009

Monster Jan09 breach: The Website Passwords Problem

Only a day or so after posting "The Problem with website Passwords" another big data breach at online job website “Monster” has come to light. What is particularly relevant to my last post and highly concerning, is in their breach statement Monster said website user account passwords were stolen along with other personal details, including Email addresses, names and user IDs.

"We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers" - statement from

Firstly their web application is blatantly insecure by design, it's basic web application security for website (web application) passwords to be one-way hashed with a unique salt (number), which in other words making it pretty much impossible to obtain a user's actual password anyone, including a hacker or someone with full privileged access. This is because in using hashing means the website database does not store the user's actual password, but instead a unique hash (long number) equating to the user's password, which is checked upon sign on.

Secondly, as I said in the The Problem with website Passwords post, it is likely most Monster website users are using the same website credentials on other website accounts (i.e. user id, email address, their name, password), so hundreds of thousands of online banking, PayPal and eBay accounts are now likely to be at risk because of this breach, this is not just about On the black market this type of website account access information has high value, typically ten times the value of a stolen credit card for example, and this in my view is probably the reason why Monster was targeted for this information in the first place. Security monitoring of Monster accounts isn’t going to help as the horse as bolted, it is likely this information has probably been split up and already sold on around the world, just to repeat this point, the target of the breach is not to illicitly access people's CVs on Monster!

Finally Monster also stores an array of typical password reset questions, based on personal information only known to the website account holder. Monster didn't make any mention of this in their statement, but it's fair to assume these details were also stolen along with everything else, again providing fraudsters with all the information they need to impersonate a victim online, including resetting passwords on other websites. If this is indeed the case, I would have to say this is one of worst breaches I’ve seen, since it is putting Monster user's other websites usage at risk, from what I’ve read so far I think the media have missed this angle in reporting the breach and its potential significance and impact on the average joe.

My advice, if you are Monster user, change your Monster website password to something unique in case they are hacked again - let's be honest Monster have a history of data breaches now!  Then ensure you aren't using that new password or your old Monster website password on any other website you are signed up with. And finally consider any Monster password reset questions you have in place and potential impact on other websites using the same reset questions.

1 comment:

Web Designer said...

So informative things are provided here, I am really happy to read this post, I was just I agree with you. This post is truly inspirational.