Millions of additional users of the job-search site Monster.com may have had their personal information stolen by Internet criminals in security breaches that occurred before the break-in that was reported last week, top company executives said Wednesday.
Monster Worldwide Inc. said an internal investigation had found that in an undetermined number of previous cases, criminals used passwords belonging to legitimate corporate recruiters to access resumes posted at Monster.com.
Because it's impossible to tell whose information was obtained, Monster said it would try to reach all of its active customers by e-mail to warn them.
"In terms of the numbers, we looked at it hard, and we don't know what the answer is," company Vice President Patrick Manzo said.
New York-based Monster doesn't disclose how many people use the site, but it said it had 70 million resumes on hand.
Monster also said it was redoubling its security efforts in the wake of the disclosure that the names, e-mail addresses, home addresses and phone numbers of about 1.3 million users had been discovered on a scam artist's computer in Ukraine.
Although more sensitive information, such as Social Security and bank account numbers, was not included in the Ukraine stockpile, computer security experts said a criminal ring was using the data to send e-mails to the victims that appeared to come from Monster or prospective employers. Some of those e-mails tried to get recipients to divulge bank information, and others tried to install secret programs that recorded account numbers and passwords as the computer users typed.
Manzo said he did not know how many Monster users had complained of being victimized in the most recent attacks. Last week, he said, the company had noticed e-mail attacks on customers eight or nine months ago but didn't have concrete evidence of improper access to its files until the latest breach.
Monster said it had been ramping up its defenses against improper access and would take more steps to monitor use by corporate customers and limit the data they could extract.
A fraud task force with 20 people dedicated to site security will now report to Monster Chief Executive Sal Iannuzzi, Manzo said.