Serious security alert for Monster and USAJobs users

Graham Cluley
Graham Cluley
@[email protected]

Monster and USAJobs

Careers website and, the official job site of the US Federal Government, have published security alerts to their customers warning of a serious hacking attack.

Feeling a sense of deja vu? Well, you should be as this has happened before.

It appears that’s database and’s database were compromised and contact and account information was stolen. Data stolen included users’ login names, passwords, email addresses, names, phone numbers and some demographic data.

Sign up to our free newsletter.
Security news, advice, and tips.

Here is a short video I have made, explaining the possible impact of this security breach – and explaining why you should take this opportunity to think long and hard about whether you are acting securely with your website passwords:

[vimeo 2974130]

Monster has published a warning for its users, advising them to change their passwords. A similar alert has appeared on the website, whose database is run by Monster.

Warning on website

Although the warnings are keen to emphasis what information has not been breached during the attack (for instance, social security numbers), it is important to understand the serious risks that Monster and USAJobs customers may be placed in because of this incident.

One very real risk is that hackers will use the email addresses and personal information they have received to mount a realistic phishing campaign, attempting to gather more sensitive information about victims. Phishing emails which attempt to look more legitimate by using the recipient’s real name and other personal information (such as user id, phone number or location) are always more successful at social engineering further details that could be used for indentity theft out of people.

There is even more potential for danger, however, because passwords have been stolen. We know that too many people use the same password for every website that they access.

That means that if hackers have managed to extract your or password in this attack, they might be able to use it to break into your email accounts, or the likes of eBay, PayPal, Amazon, and indeed any other website that you have used the same password for.

So, if you use or you should change your password now. Choose a sensible password that is not a dictionary word and that is hard to guess. And *then* change your passwords at any other site where you might be using the same password. Make sure, of course, that it’s not the same password as the one you are using at Monster – you don’t want to make that mistake again.

Worryingly, this isn’t the first time that Monster and USAJobs have been targeted by hackers who have stolen data about their users. 18 months ago, as this 2007 report from Reuters reveals, hackers used the Monstres Trojan horse to steal details of jobseekers via recruiter accounts. That hack was unsurprisingly followed up by a widespread phishing email campaign.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.