The City of Bozeman, Montana effectively joined the ranks of phishers when they asked job candidates for their usernames and passwords for social networking sites that the applicant belongs to.
In a report at
To begin with, the city was asking applicants to breach their terms of service with the social networking sites that require passwords and account access to be kept confidential. The city went further in promoting exceptionally poor security practices. You don’t ask people for their usernames and passwords.
The city simply rescinding the policy falls a million miles short of doing the right thing. If the city is going to act responsibly they will immediately inform the social networking site of which users accounts were compromised by the city collecting the username and passwords and the social networking sites will immediately force a password reset. Additionally the city should proactively inform all applicants whose passwords were collected that they should change their passwords as their accounts are at risk to insiders. It is not unheard of for employees of governments and private organizations to abuse data.
With the massive amounts of data being lost and the low level of security expertise demonstrated by the city in even collecting this information, all applicants who provided passwords to the city must assume that the city will lose their data and criminals will have their usernames and passwords.
Upon notifying the social networking sites and affected applicants, the city needs to purge the data from their systems and their backups. It is an unacceptable and completely ignorant security risk for the city to have collected the data in the first place, and then to keep the data.
Evidently, some in the government of the city of Bozeman think that civic duty is the import tax paid on a Honda automobile.
Director of Technical Education
Author ESET Research, ESET