Jay Heiser, Gartner Research Vice President:
"There are two issues here: First, just how much damage this caused to the individuals involved; second, what the security ramifications of Software as a Service (SaaS) and social networking are."
"First, some reports give the impression that everyone who had an account at Monster will suddenly be attacked by bank-account-stealing cyber-criminals, and that is more than a bit of an exaggeration. However, it is the case that the criminal community is hoovering up large amounts of personal info and correlating it, functioning as a sort of underground information bureau. The fact that most people do use the same password on multiple sites means that if passwords were stolen from Monster (which could only happen if Monster used a very primitive and ill-conceived design), it is possible for that password information from Monster to be made available to attackers, along with information from other sources, in support of attacks against bank accounts. The information at Monster alone is not sufficient to attack bank accounts."
"The bottom line is that active internet users should have unique passwords for all sensitive sites. The unfortunate fact is that you need a unique password for every critical site, so you need to manage these valuable passwords, which probably means keeping them in an encrypted application."
"Second, you should never assume that a SaaS offering is 'safe', be it a fun social networking site or a serious business site, unless you are given evidence that it is safe. For consumers, you have no way of knowing how safe a site is, so don't put anything on it that would harm you if it were stolen (such as the same password you use for your bank). This should also serve as an example for businesses about putting their fate into the hands of other people. Externally-provisioned products are becoming increasingly popular for business, too, and for good reason. If what you need to do involves information that you can't afford to lose, or you don't want stolen, then you need to be given evidence by the service provider that they are taking security into account."
"For both consumers and business, making a decision about the relative safety of an online-service is a very, very difficult thing to do."
"There are two issues here: First, just how much damage this caused to the individuals involved; second, what the security ramifications of Software as a Service (SaaS) and social networking are."
"First, some reports give the impression that everyone who had an account at Monster will suddenly be attacked by bank-account-stealing cyber-criminals, and that is more than a bit of an exaggeration. However, it is the case that the criminal community is hoovering up large amounts of personal info and correlating it, functioning as a sort of underground information bureau. The fact that most people do use the same password on multiple sites means that if passwords were stolen from Monster (which could only happen if Monster used a very primitive and ill-conceived design), it is possible for that password information from Monster to be made available to attackers, along with information from other sources, in support of attacks against bank accounts. The information at Monster alone is not sufficient to attack bank accounts."
"The bottom line is that active internet users should have unique passwords for all sensitive sites. The unfortunate fact is that you need a unique password for every critical site, so you need to manage these valuable passwords, which probably means keeping them in an encrypted application."
"Second, you should never assume that a SaaS offering is 'safe', be it a fun social networking site or a serious business site, unless you are given evidence that it is safe. For consumers, you have no way of knowing how safe a site is, so don't put anything on it that would harm you if it were stolen (such as the same password you use for your bank). This should also serve as an example for businesses about putting their fate into the hands of other people. Externally-provisioned products are becoming increasingly popular for business, too, and for good reason. If what you need to do involves information that you can't afford to lose, or you don't want stolen, then you need to be given evidence by the service provider that they are taking security into account."
"For both consumers and business, making a decision about the relative safety of an online-service is a very, very difficult thing to do."
