Canceling Monster.com
Okay, I just canceled my Monster.com account. I’m not really too upset about it because I have never gotten a job through it or any other online service. The closest I have come is a local newspaper ad.
While I was looking for their method of canceling the account I noticed the “Help and Security” link in the upper right hand corner of their site. So I clicked it. After activating (reluctantly) javascript I clicked it again and received a pop-up window with information about how to augment the information on my account. Helpful from a help stand point, but where was the “security” portion. I hit Cntl-F and searched on security. As you can see from the image below the only information about “security” had to deal with “security clearance.” The highlighted word is the last instance of the word “security” on that page. Nice, this just reinforces my decision to cancel the account.
Since this page did not provide me with any information about how to cancel my account, I started hunting around my account’s profile page. Under “Preferences” I found “Cancel membership” in the “Resume Privacy” section. To help here is another image.
Do you see the “Learn more about membership cancellation” link. Well, who could resist understanding what Monster.com thinks about membership cancellation. Are you ready for a surprise? WAIT FOR IT…..
HEY!!! There is the information about how to generate a good password. I’d say that is “security” worthy. So they do care!!! Reading through I now see that it is important to not use “simple” passwords. But they did not mention anything about storing passwords in the clear or with weak encryption methodologies so I guess that is not really an issue when it comes to protecting information.
Once I was done familiarizing myself with password basics I moved on to cancel my membership. From a customer service stand point at least Monster.com is concerned about why I am leaving their site. From the image below you can see that I let them know that I am concerned about privacy.
If my input is too fuzzy to read, here you go.
The recent rash of security breaches associated with monster.com and usajobs.com is very concerning to me. Encrypted storage of passwords has been an industry standard for years now and your lackadaisical attitude towards the protection of your customer’s personal information has forced me to remove me to remove [sic] my information from your systems. Good luck.
Hehe, now that I read back over it, good luck to me and my editorial review methods in the future. Hopefully they get the gist. As long as they remove my information from their databases I don’t really care.
Now, that we have all of that out of the way, let’s talk about the risks involved here. Am I really at risk because of the information that I provided to this service? Maybe a little, but not much more. Because the information that I provide there I provide in many other ways across the Internet. Some by my choice, some not. For instance, you can get to know me a lot by the things I write about and also from the Linked In and education information that I provide via this site. You can get my address from the local property tax website and you only need to call the operator to get my telephone number. So what is the concern?
The concern is that this is one stop shopping for the criminally minded. Monster.com has made their jobs very easy. Although there are plenty of services and methods to obtain the information stored by Monster.com a little bit of work was required. And when you start multiplying the number of people to the work required your man-hours increase significantly. So, the time spent on hacking into Monster.com is cost effective. The bonus is plain-text (I assume from the language of the disclosure information I have reviewed online) passwords. I can almost see the person’s reaction in my mind as they reviewed the information they pulled from the database.
Hmm, okay. Yup, script worked. Hmmm, all the account information. Nice. What the f***? HOLY CR**!!!! Hey, <insert hacker name here>, check this out!!! F***ing plain-text passwords. F***ing Score, baby!!! Thank you, Monster.com. w00t!!!!
So, my recommendation. Remove your information from Monster.com. Hell, for that matter. Remove your information from all websites you are not using on a regular basis. Speaking of which, I need to start reviewing my list now.
UPDATE: LB Huston of MSI and I were thinking out loud and alike on Twitter about how this information will also be helpful to government and (as LB pointed out) industrial espionage. The information coming from the USAJOBS.gov site will contain information about the duties individuals performed in other government positions, their clearance levels, and so forth. Hopefully not too much more information, but we all know how people like to be informative, especially when they are trying to impress for a new position. Unfortunately, even if the information is vague and and hard for most people to piece together, governements and businesses have people who are trained on how to correlate various information sources to get a bigger picture of a situation. This is exactly the information they are looking to obtain. Right now people around the world are scrambling to try and find a method to obtain access to the information that was obtained from this breach.
Go forth and do good things,
Don C. Weber
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
January 27th, 2009 at 9:39 pm
I just cancelled too for the same reason. Monster are truly useless. I never found it as useful as Jobsite anyway.