The theft of personal information from some 1.3 million users of the Monster.com job search service first revealed two weeks ago was not a one-time attack, the company's CEO said Wednesday.
"The Company has determined that this incident is not the first time Monster's database has been the target of criminal activity," Sal Iannuzzi, the chairman and CEO of Monster Worldwide, said in a statement. In an interview with Reuters, Iannuzzi also acknowledged that the most recent breach may have been substantially larger than the 1.3 million users the company said earlier had been affected.
"It could easily be in the millions," Iannuzzi told Reuters. He did not spell out when other attacks had taken place or even how many might have breached the company's security.
Iannuzzi was divulging the prior attacks, he said, to give all Monster.com users fair warning. "Due to the significant amount of uncertainty in determining which individual job seekers may have been impacted, Monster felt that it was in your best interest to take the precautionary steps of reaching out to all Monster job seekers regarding this issue."
A second statement released by the company Wednesday reiterated its inability to tell users whether their information had been compromised. "Despite ongoing analysis, the scope of this illegal activity is impossible to pinpoint," the company said.
On Aug. 17, Symantec security analyst Amado Hidalgo told Monster that he'd found the names, e-mail addresses, home addresses, phone numbers and resume identification numbers representing more than a million of its users on a hacker-controlled server hosted in Ukraine. Hidalgo theorized -- and several days later, Monster confirmed -- that the data had been retrieved using legitimate log-on credentials stolen from recruiters and human resource personnel with corporate Monster.com accounts.
Within days, Monster.com said it had shut down the data-storing server, which was also used by an aggressive hacker crew to spam the users whose data was stolen. Some of the spam duped those users into self-infecting their PCs with online bank account password stealers, while other junk mail campaigns tried to convince job seekers into working as "money mules," the term for people who launder the money stolen from phished bank accounts.
A week ago, evidence surfaced of Monster.com-fueled attacks beginning in early July. Some job seekers, however, claimed they had seen similar messages as far back as February. Iannuzzi's admission Wednesday supported the claims of a long-running exploit of the company's database.
"Monster has launched a series of initiatives to enhance and to protect the integrity of the information you have entrusted to us," Iannuzzi said. "Some of these steps are being immediately implemented, while others will be put into place as appropriate."
In an accompanying statement, Monster.com said that the new security measures included adding new site monitoring and surveillance capabilities, and reviewing and tightening its site access policies and controls.
As recently as Aug. 19, however, Monster.com said that the second step -- tightening access -- might be impossible. "From time to time, our legitimate customers' credentials are used to gain unauthorized access to the database, and it would be very difficult to be 100 percent certain that any given access using legitimate credentials is indeed legitimate," said spokesman Steve Sylven then.
One possible measure the site could take would be to disable automated or script-based searches; the attackers seeded Trojans that robotically searched the massive Monster.com database using the same techniques that corporate recruiters rely on. Early in the case, a Monster.com spokesman said that it was essentially impossible to tell the difference between a legitimate automated search done by a corporate account holder and one run by the hacker's Trojan.
In addition, Monster.com hired an unspecified number of "industry security experts" who specialize in helping corporations protect customer data. Ironically, in late July, Monster.com selected Cyveillance, an Arlington, Va.-based firm that specializes in protecting enterprise assets from malware attacks.
According to a statement issued July 23 by Cyveillance, the company was supposed to protect Monster.com's users from phishing and malware attacks. Cyveillance was also set to monitor various sources for any abuse of the Monster brand or logo.
The spam spewed out by the Infostealer.Monstres Trojan -- the malware that snatched the personal information from the Monster.com database -- was designed to look like legitimate e-mail from the job search site.