Security researchers at Symantec say the former. Kevin Mandia, a computer forensics expert, believes it might be the latter.
"The trojan appears to be using the [probably stolen] credentials of a number of recruiters to login to the website and perform searches for resumes of candidates located in certain countries or working in certain fields," Symantec researcher Amado Hidalgo said in blog post.
"The trojan sends HTTP commands to the Monster.com website to navigate to the Managed Folders section," he added. "It then parses the output from a pop-up window containing the profiles of the candidates that match this recruiter's saved searches."
The trojan extracted personal information from the resumes and uploaded to a remote server, Symantec said. The researchers found 1.6 million pieces of compromised data on a single server. Separately, SecureWorks’ researchers found about a dozen smaller collections of stolen data, which included names and home and email addresses.
The perpetrators then used the collected email addresses to send phishing messages to job hunters whose information was stolen, SecureWorks said.
Mandia, chief executive officer of Mandiant, said he questions whether Monster.com was in fact "hacked."
"I don't see any evidence that Monster.com was hacked at all — it looks like a business process was compromised," he told SCMagazine.com today.
"I'm not convinced data theft is the right definition" for what occurred, he added. "This is a site that collects people's resumes that are publicly available. Monster.com is a site that people pay to find perspective employees, and someone used an account for data mining so they could send spam. I would imagine something like this could have been happening for years."
Symantec said it has told Monster.com of the problem so it can shut down the recruiter accounts stolen by the trojan.
A Monster.com spokesperson did not return a telephone call seeking comment.
Click here to email West Coast Bureau Chief Jim Carr.