The theft of contact information for job seekers in the database of Monster Worldwide Inc was greater than the 1.3 million individuals the company reported last week, Chief Executive Sal Iannuzzi said on Wednesday.
While investigating the recent theft, the company learned that its Web site had previously been hacked.
"We're assuming it is a large number. It could easily be in the millions," Iannuzzi said in an interview with Reuters.
The hackers didn't get the kind of information it takes to pull money out of a bank account, according to Monster.com, but the contact data is valuable to criminals who use social engineering techniques to conduct scams.
Contact data provide criminals just enough information to convince some recipients to let their guard down because the use of personal information and other social engineering techniques make the e-mails seem legitimate.
Some Monster.com job seekers who had posted their resumes on the site received e-mails from alleged recruiters. They said they had seen their resumes on the site and wanted them to provide bank account information to complete job applications.
Other e-mails sent to Monster.com users asked them to click on links that loaded malicious software onto their computers. Such programs can be used to steal financial information entered onto the PC, or to secretly launch similar attacks on other computers.
Monster said that while it knows its database has previously been compromised, it is unable to ascertain how often it has happened or how much data has been stolen.
It is advising all users to assume that their data has been taken by criminals and to assume that they will email them in an effort to get financial information or infect their PCs.
Monster has said that the data thieves only took names, addresses, phone numbers and email addresses. There is no evidence that any financial information was taken, the company said.
"They are at higher risk for social engineering attacks," said Randy Abrams, director of technical education for security software maker ESET.
But he said that the data that Monster.com lost isn't as valuable to criminals as some information that people willingly put onto social networking sites such as MySpace.com.
People post photos of themselves and their families, talk about their jobs, hobbies, religious beliefs and provide other information valuable to criminals out to make a buck.
That's enough information to help a criminal concoct a convincing story to persuade somebody to let their guard down.
"It would be child's play to social engineer at least 40 percent of the people on MySpace," Abrams said.
While Monster is stepping up surveillance of its traffic and boosting security staff, the company said the site remains vulnerable to hackers.
"I want to be clear and I want to be frank: there is no guaranteed fix," Iannuzzi said. "I wish I could say ... there will be absolutely no way that the Monster site can be compromised. I cannot ever make that promise, and no Internet company can."
About 200 to 300 job seekers have canceled their accounts as a result of the security issue, the CEO said, but those have been offset by an upswing in new accounts. A "handful" of employers have canceled their accounts, Iannuzzi said.
The company, which said last month it would invest $80 million to $100 million over 18 months to improve its technology, will dedicate "a large measure of that money" to fixing the security issue, Iannuzzi said.
Monster shares closed on Wednesday up $1.24, or 3.8 percent, to $34.15 on Nasdaq. Its shares were little changed in extended trading.
(Reporting by Nick Zieminski in New York and Jim Finkle in Boston)
Return to internet news headlines
View Internet News Archive