Sophos informs us that job sites Monster and USAJobs (an official US Job site) have been hacked. Messages on Monster and USAJobs confirm this. I’d like to draw attention to the fact that passwords were stolen:
We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords.
We recently learned that the Monster database was illegally accessed and certain contact and account data were taken, including user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data.
Same wording – because Monster is the “technology provider” for USAJobs.
There is even more potential for danger, however, because passwords have been stolen. We know that too many people use the same password for every website that they access.
Right. But why is Monster even storing passwords? It is not necessary. All you need store is a one-way password hash, so the site can verify a password without recording it. This is easily done in every web platform out there.
There is a disadvantage. It means the site cannot email your lost password. Instead, it must reset your password. Since email passes in plain text, emailing passwords is a bad idea anyway, and I hate to see sites doing this; it’s a useful alert though that the site places a low value on security.
Any site can get hacked, but what isn’t stored can’t be stolen.
Technical blunders like this can be costly; there’s no excuse for it that I can think of.