What’s happened?
If you use Norton lifeLock as your password manager, your account may have been compromised.
Woah. What???
According to Bleeping Computer, Gen, the company behind Norton LifeLock (and other brands including Avast, Avira, AVG, ReputationDefender, and CCleaner), is sending data breach notifications to some of its customers warning that their accounts have been accessed following a credential-stuffing attack.
So Norton LifeLock got hacked?
I’d argue that’s an unfair way to describe what’s happened.
Norton LifeLock didn’t screw up anything like as badly as fellow password manager LastPass did in its recent horrendous hack.
In fact, in the notification being sent to affected Norton LifeLock customers, the company says:
Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account.
But how did a hacker find out the username and password to so many people’s LifeLock accounts?
Credential-stuffing attacks take advantage of the fact that many people still make the mistake of reusing the same passwords in different places on the internet.
If one service gets breached and its password database stolen, hackers can fling those credentials at other online accounts – to see if they might unlock something desirable elsewhere.
When did this attack happen?
The company says that the unauthorised access to customer accounts began on December 1 2022, but things heated up considerably on December 12 when a “large volume” of failed account logins occurred.
What did the hackers access in Norton LifeLock accounts?
The data breach notification says that users’ names, phone numbers, and mailing addresses have been accessed, but TechCrunch reports that the company “cannot rule out that the intruders also accessed customers’ saved passwords.”
Gulp!
What can be done to stop this kind of attack?
Well, the first thing is to STOP REUSING PASSWORDS (Sorry for shouting, but I’ve been saying this for years…)
The other thing you can do is enable two-factor authentication (2FA) on your accounts, which adds an additional layer of protection even if your password falls into the wrong hands.
Norton offers three flavours of 2FA to its account holders – mobile authentication app, security key, or mobile phone number. Either of the first two 2FA methods are a better option than mobile phone number, but frankly any 2FA is better than no 2FA at all.
Which brings me to the next point. Why doesn’t Norton LifeLock insist upon users enabling two-factor authentication for their own protection?
It certainly sounds like it would make life harder for hackers…
Right. 2FA isn’t 100% bulletproof, but it does force criminals to put more effort into their attacks – which may be unattractive to them, particularly at scale.
So how many accounts were accessed by the hackers?
Bleeping Computer reports that Gen claims to have “secured 925,000 inactive and active accounts that may have been targeted by credential-stuffing attacks.”
Almost a million!
Yup, it’s a significant attack. The company says that it is monitoring the situation closely, flagging accounts with suspicious login attempts, and proactively asking customers to reset their passwords.
It is also recommending that 2FA is enabled, but – at risk of repeating myself – I would really like to see more companies insist on the use of two-factor authentication. Ultimately it not only helps to protect customer accounts, but it can also reduce reputational damage to the targeted service.
Which, I would argue, is particularly important when it comes to a service which is supposed to store your passwords securely.
First Last Pass and now another password manager?!
Here we go again
So the real problem is between the chair and the keyboard? The lesson learned is that if you reuse your master password, all your passwords are belong to us. For great justice.
This seems not to be Norton Lifelock's fault, they have been vigilant and noticed and warned about multiple credential stuffing attacks. I do agree that they should mandate 2FA on their clients' Password manager accounts.
Yeah, that's my point.
If you're a security company promising to store users' most sensitive information you have a duty to protect it the best you can.
2FA should be mandatory, or at least the defacult, to reduce the risk of an account being compromised due to a reused or poorly-chosen password.
There are also a bunch of other things that can be done to help protect against credential stuffing. Some good advice here from OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html