
Password Manager Reports Customer Accounts were Compromised | ||
DESCRIPTION | ||
Gen Digital, the parent company of Norton Lifelock, reported that the data of approximately 6,500 customers of their password manager product was compromised. The attacks were first noticed in early December of 2022. The method of attack is believed to have been a credential stuffing attack, a type of brute force attack where the attacker collects exposed or compromised account credentials and attempts to connect to another site using the identical usernames and passwords. This type of attack is made possible when users use the same credentials across multiple websites and fail to further protect access to those accounts with multi-factor authentication. | ||
IDENTIFY INDICATORS OF COMPROMISE (IOC) | ||
The company said that it received a large number of failed login attempts on December 12, 2022 but that the attack began at a small scale as early as December 1st. While attacks were attempted on as many as 925,000 accounts, the company said that the attack seems to have been limited to users that utilized weak, self-created passwords to protect their accounts. | ||
CONTAINMENT (If IoCs are identified) | ||
The Norton security team took a variety of actions to secure the 925,000 inactive and active accounts, but did not elaborate on the exact measures taken. Notices were sent to the 6,500 individuals whose accounts were confirmed to have been compromised. Security teams are also monitoring all accounts and logging any that show suspicious login attempts. Flagged accounts are being contacted and asked to reset their passwords upon their next login. In addition, all Norton LifeLock users are being encouraged to enable multifactor authentication (MFA) if they haven’t yet done so. | ||
PREVENTION | ||
The practice of individuals using same usernames and passwords across multiple accounts is still widespread. This allows an attacker the opportunity to seize an exposed username/password credential from one site and pivot to another site to attempt a login. For instance, attackers could use the credentials gained from a breach of the website of Company A to logon the websites of Company B and C, hoping that a percentage of those accounts use the same credentials. |