One Monster of an Attack

There are several lessons to be learned from the recent penetration of monster.com and the subsequent phishing attempts. In this attack, recruiter accounts were compromised and used to download around a million monster user records. These records were used to created targeted phishing attacks purported to be from interested employers.
The first thing I’m wondering is how these recruiter accounts were compromised. Was the account bruteforced? If so, why did Monster allow the use of weak passwords? Why didn’t Monster lock the account after numerous bad password attempts. I sure hope the people whose accounts were compromised didn’t use that password anywhere else, or if they did, they should be frantically changing them.
Even if the account(s) were compromised through the use of a keystroke logger on the recruiters system, why were they able to download so many records. Shouldn’t that raise some sort of red flag?
In the case of the phishing, users need to be aware that requests for their personal, bank and credit information needs to be treated with suspicion. Beware what information you make available on such a site in the first place.