What’s happened?
If you use Norton lifeLock as your password manager, your account may have been compromised.
Woah. What???
According to Bleeping Computer, Gen, the company behind Norton LifeLock (and other brands including Avast, Avira, AVG, ReputationDefender, and CCleaner), is sending data breach notifications to some of its customers warning that their accounts have been accessed following a credential-stuffing attack.
So Norton LifeLock got hacked?
I’d argue that’s an unfair way to describe what’s happened.
Norton LifeLock didn’t screw up anything like as badly as fellow password manager LastPass did in its recent horrendous hack.
In fact, in the notification being sent to affected Norton LifeLock customers, the company says:
Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account.
But how did a hacker find out the username and password to so many people’s LifeLock accounts?
Credential-stuffing attacks take advantage of the fact that many people still make the mistake of reusing the same passwords in different places on the internet.
If one service gets breached and its password database stolen, hackers can fling those credentials at other online accounts – to see if they might unlock something desirable elsewhere.
When did this attack happen?
The company says that the unauthorised access to customer accounts began on December 1 2022, but things heated up considerably on December 12 when a “large volume” of failed account logins occurred.
What did the hackers access in Norton LifeLock accounts?
The data breach notification says that users’ names, phone numbers, and mailing addresses have been accessed, but TechCrunch reports that the company “cannot rule out that the intruders also accessed customers’ saved passwords.”
Gulp!
What can be done to stop this kind of attack?
Well, the first thing is to STOP REUSING PASSWORDS (Sorry for shouting, but I’ve been saying this for years…)
The other thing you can do is enable two-factor authentication (2FA) on your accounts, which adds an additional layer of protection even if your password falls into the wrong hands.
Norton offers three flavours of 2FA to its account holders – mobile authentication app, security key, or mobile phone number. Either of the first two 2FA methods are a better option than mobile phone number, but frankly any 2FA is better than no 2FA at all.
Which brings me to the next point. Why doesn’t Norton LifeLock insist upon users enabling two-factor authentication for their own protection?
It certainly sounds like it make life harder for hackers…
Right. 2FA isn’t 100% bulletproof, but it does force criminals to put more effort into their attacks – which may be unattractive to them, particularly at scale.
So how many accounts were accessed by the hackers?
Bleeping Computer reports that Gen claims to have “secured 925,000 inactive and active accounts that may have been targeted by credential-stuffing attacks.”
Almost a million!
Yup, it’s a significant attack. The company says that it is monitoring the situation closely, flagging accounts with suspicious login attempts, and proactively asking customers to reset their passwords.
It is also recommending that 2FA is enabled, but – at risk of repeating myself – I would really like to see more companies insist on the use of two-factor authentication. Ultimately it not only helps to protect customer accounts, but it can also reduce reputational damage to the targeted service.
Which, I would argue, is particularly important when it comes to a service which is supposed to store your passwords securely.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
