Lifelock Norton Data Breach

Password Manager Reports Customer Accounts were Compromised

DESCRIPTION

Gen Digital, the parent company of Norton Lifelock, reported that the data of approximately 6,500 customers of their password manager product was compromised. The attacks were first noticed in early December of 2022. The method of attack is believed to have been a credential stuffing attack, a type of brute force attack where the attacker collects exposed or compromised account credentials and attempts to connect to another site using the identical usernames and passwords. This type of attack is made possible when users use the same credentials across multiple websites and fail to further protect access to those accounts with multi-factor authentication.

The attackers are reported to have gained access to first name, last name, phone number, and mailing address of the potential victims. Gen Digital has not ruled out the possibility that saved passwords were accessed as well.

This attack is not the first time Gen Digital has been the victim of a cybersecurity event of, the last reported compromise occurring in 2015. The attack on the password manager provider comes only four months after Norton competitor LastPass suffered a data breach.

IDENTIFY INDICATORS OF COMPROMISE (IOC)

The company said that it received a large number of failed login attempts on December 12, 2022 but that the attack began at a small scale as early as December 1st. While attacks were attempted on as many as 925,000 accounts, the company said that the attack seems to have been limited to users that utilized weak, self-created passwords to protect their accounts.

CONTAINMENT (If IoCs are identified)

The Norton security team took a variety of actions to secure the 925,000 inactive and active accounts, but did not elaborate on the exact measures taken. Notices were sent to the 6,500 individuals whose accounts were confirmed to have been compromised. Security teams are also monitoring all accounts and logging any that show suspicious login attempts. Flagged accounts are being contacted and asked to reset their passwords upon their next login. In addition, all Norton LifeLock users are being encouraged to enable multifactor authentication (MFA) if they haven’t yet done so.

PREVENTION

The practice of individuals using same usernames and passwords across multiple accounts is still widespread. This allows an attacker the opportunity to seize an exposed username/password credential from one site and pivot to another site to attempt a login. For instance, attackers could use the credentials gained from a breach of the website of Company A to logon the websites of Company B and C, hoping that a percentage of those accounts use the same credentials.

Security professionals generally still recommend the use of password managers. However, the idea of securing secret credentials in a password manager using the same secret credential is problematic. When using a password manager, it is imperative that you use a unique complex password for the master key that is very different to the passwords you want to store in your accounts. It is recommended that you have the password manager generate all passwords to ensure this. It also essential to enable multifactor authentication (MFA) so that access is protected by more than just a single username and password combination.

Review your security posture to identify any cyber risks. Learn how to implement reasonable security controls for your organization.