The recent security breach at Monster.com went unreported to the site's users even though the company had known about it for five days.
The job website failed to warn its users about the problem until 22 August, despite being informed of the attack on 17 August by Symantec.
Symantec posted a report on its website on 21 August, and Monster.com followed suit with a warning on its own site a day later.
But by the time the attack had been shut down, the confidential information from 1.3 million job seekers had already been uploaded to servers in the Ukraine.
Patrick Manzo, vice president of compliance and fraud prevention at Monster.com, claimed that the stolen data did not go beyond names, addresses, phone numbers and email addresses.
Patrick Martin, senior product manager at Symantec, said that the aim of the attack seemed to have been to gain access to user data to send more convincing spam in the hope of stealing financial information.
"They were trying to get financial data from people to give any future spam emails they send a little bit more credibility," he said.
Monster has posted hard-copy letters to the 1.3 million affected users so that they could be warned about the disclosure without needing to open an email.
The company's database holds around 73 million CVs.
