Ugh! Norton LifeLock password manager accounts accessed by hackers

Graham Cluley
@gcluley

Ugh! Norton LifeLock password manager accounts accessed by hackers

What’s happened?

If you use Norton lifeLock as your password manager, your account may have been compromised.

Woah. What???

According to Bleeping Computer, Gen, the company behind Norton LifeLock (and other brands including Avast, Avira, AVG, ReputationDefender, and CCleaner), is sending data breach notifications to some of its customers warning that their accounts have been accessed following a credential-stuffing attack.

So Norton LifeLock got hacked?

I’d argue that’s an unfair way to describe what’s happened.

Norton LifeLock didn’t screw up anything like as badly as fellow password manager LastPass did in its recent horrendous hack.

In fact, in the notification being sent to affected Norton LifeLock customers, the company says:

Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account.

But how did a hacker find out the username and password to so many people’s LifeLock accounts?

Credential-stuffing attacks take advantage of the fact that many people still make the mistake of reusing the same passwords in different places on the internet.

If one service gets breached and its password database stolen, hackers can fling those credentials at other online accounts – to see if they might unlock something desirable elsewhere.

When did this attack happen?

The company says that the unauthorised access to customer accounts began on December 1 2022, but things heated up considerably on December 12 when a “large volume” of failed account logins occurred.

What did the hackers access in Norton LifeLock accounts?

The data breach notification says that users’ names, phone numbers, and mailing addresses have been accessed, but TechCrunch reports that the company “cannot rule out that the intruders also accessed customers’ saved passwords.”

Gulp!

What can be done to stop this kind of attack?

Well, the first thing is to STOP REUSING PASSWORDS (Sorry for shouting, but I’ve been saying this for years…)

The other thing you can do is enable two-factor authentication (2FA) on your accounts, which adds an additional layer of protection even if your password falls into the wrong hands.

EmailSign up to our newsletter
Security news, advice, and tips.

Norton offers three flavours of 2FA to its account holders – mobile authentication app, security key, or mobile phone number. Either of the first two 2FA methods are a better option than mobile phone number, but frankly any 2FA is better than no 2FA at all.

Which brings me to the next point. Why doesn’t Norton LifeLock insist upon users enabling two-factor authentication for their own protection?

It certainly sounds like it would make life harder for hackers…

Right. 2FA isn’t 100% bulletproof, but it does force criminals to put more effort into their attacks – which may be unattractive to them, particularly at scale.

So how many accounts were accessed by the hackers?

Bleeping Computer reports that Gen claims to have “secured 925,000 inactive and active accounts that may have been targeted by credential-stuffing attacks.”

Almost a million!

Yup, it’s a significant attack. The company says that it is monitoring the situation closely, flagging accounts with suspicious login attempts, and proactively asking customers to reset their passwords.

It is also recommending that 2FA is enabled, but – at risk of repeating myself – I would really like to see more companies insist on the use of two-factor authentication. Ultimately it not only helps to protect customer accounts, but it can also reduce reputational damage to the targeted service.

Which, I would argue, is particularly important when it comes to a service which is supposed to store your passwords securely.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.

5 comments on “Ugh! Norton LifeLock password manager accounts accessed by hackers”

  1. Bob

    First Last Pass and now another password manager?!

  2. Bob
  3. Paul Lambert

    So the real problem is between the chair and the keyboard? The lesson learned is that if you reuse your master password, all your passwords are belong to us. For great justice.

  4. Roger Leyland

    This seems not to be Norton Lifelock's fault, they have been vigilant and noticed and warned about multiple credential stuffing attacks. I do agree that they should mandate 2FA on their clients' Password manager accounts.

    1. Graham Cluley · in reply to Roger Leyland

      Yeah, that's my point.

      If you're a security company promising to store users' most sensitive information you have a duty to protect it the best you can.

      2FA should be mandatory, or at least the defacult, to reduce the risk of an account being compromised due to a reused or poorly-chosen password.

      There are also a bunch of other things that can be done to help protect against credential stuffing. Some good advice here from OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.