Thousands of names, phone numbers, and e-mail addresses stored by the Internet job-search site Monster.com have been stolen as part of a complex online fraud scheme.
Symantec Corp., a security company, disclosed the breach over the weekend after one of its researchers found that a server computer in Ukraine held 1.6 million records stolen from Monster, a New York company whose US operations are based in Maynard.
Not every stolen record included personal data, but Dave Cole, director of Symantec's security response team, estimated the thieves obtained names and addresses of hundreds of thousands of people.
Symantec notified Monster of the theft, and the company promised quick action.
"We are investigating the reports," said Patrick W. Manzo, Monster's vice president for compliance and fraud prevention, "and will take all necessary steps to mitigate the issue, including terminating any account used for illegitimate purposes."
The stolen information does not include the most sensitive personal data, such as bank account, credit card, or Social Security numbers.
Resumes posted on Monster do not contain this information, which could easily be used to commit identity fraud.
Instead, it appears the criminals were after the e-mail addresses found on many resumes.
People who have filed resumes receive "phishing" e-mails that appear to come from Monster, urging the recipient to install a piece of job-search software.
The software actually installs one of two dangerous programs.
Some victims receive a "keylogger" program that secretly records passwords typed by the victim during visits to online banking sites.
Passwords could then be relayed to thieves, letting them clean out the victims' accounts.
Other victims get a "ransomware" program, which locks vital files so the user can't access them.
The user then gets an e-mail message demanding a $150 payment for a key to unlock the files.
Cole said thieves got access to the Monster resumes by seeding the Internet with a "Trojan horse" program that runs secretly on thousands of computers.
This program logs onto Monster, using a legitimate password belonging to an employer who uses Monster to find job candidates.
Such a password provides access to millions of resumes.
The Trojan horse software collected data from many resumes, and relayed them to the Ukrainian computer.
Manzo stressed that the security breach was not due to a bug in his company's systems.
"You have folks that got hold of legitimate credentials of our customers, not from us, and logged into our site," he said.
He said the password might have been stolen from one of the thousands of businesses that have Monster accounts, and added that the company might have to redesign its password system to prevent such breaches.
A new Massachusetts state law requires companies to notify consumers of personal data thefts. Manzo said the law does not apply in this case because the thieves got only names and addresses, not more sensitive data like Social Security numbers.
Manzo said Monster may notify its customers once the full extent of the breach has been determined.
Hiawatha Bray can be reached at firstname.lastname@example.org.