The job-hunting site says that it cannot notify the users because the exposure took place on a third party organization’s server.
The users of monster.com have been receiving information for some time now from an unprotected web server. Both the monster and third parties have not purchased the data that notified the victims.
As per the reports, personal information of job seekers who have been using Monster platform since 2014 till 2017 was exposed. This includes home addresses, phone numbers, prior work experience, and email addresses. Financial information was not included at all.
According to Vinay Sridhara, CTO of Balbix, the personally identifiable information which is available on a resume can easily lead to hijacking of account as well as phishing attacks if get into wrong hands. Moreover, a threat actor can even be sent the password reset codes to a compromised email or phone number for fetching more sensitive data, which includes both professional and personal.
The exposure of the number of files is not clear. To bring things in a proper perspective, it has been stated as a single folder from 2017, May containing minimum thousands of biodata. Apart from these resumes, immigration work documentations were also found on this exposed server, not collected by Monster.
Monster said that they fail to notify their users as the exposure happened on the third-party organization’s servers. This is an unnamed third party and Monster no longer deals with them. They further added that the server once again became secured after they have been notified.
The data is now not possible to be accessed from the unnamed serve any more; still, several resumes along with other important documents provided by job seekers are available on the cached results of search engines.
As it was conducted by a third party and not the job website itself, the firm did not warn the users about the leakage of their data.