LifeLock, an Arizona-based identity theft protection firm may have exposed email addresses of millions of its customers – Simply put: A firm vowing to protect online identity of its customers may have exposed their identity to malicious hackers and cybercriminals.
It happened due to a critical vulnerability which exposed LifeLock’s customers to phishing and identity theft attacks. The vulnerability was identified by Nathan Reese, an IT security researcher from Atlanta who noted that unsubscribing from LifeLock’s newsletter revealed subscriber’s key.
Upon further digging Reese found out that key number is sequential and with the help of script written by himself he could extract keys and corresponding email addresses of every LifeLock subscribers.
“If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them,” Reese said. “That they’re a LifeLock customer and that I have those customers’ email addresses. That’s a pretty sharp spear for my spear phishing right there. Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime,” Reese told Brain Krebs.
It is noteworthy that LifeLock’s parent company is the world-renowned IT security giant Symantec who bought the firm in November 2016 for $2.3 billion. However, this is not the first time that LifeLock has done such a blunder. In 2014, the company pulled its Wallet app from availability and deleted all user data after it was revealed that the app may not be following standard security protocol.
Also, this is not the first time when a firm promising to protect user privacy has betrayed their trust. Last year, a vulnerability in LastPass password manager allowed hackers to steal its customers’ login credentials. Moreover, in June 2017, OneLogin password manager suffered a cyber attack in which personal data of millions of users was stolen.
Mark Weiner, CMO at BreachControl™ platform Balbix commented on the issue and told HackRead that “The exposed email addresses of LifeLock customers, unfortunately, does make them easy targets for those engaged in spear-phishing. Not having broad visibility into the breach risk across an enterprise’s entire attack surface continues to be an issue for most organizations, and attackers are waiting for opportunities like this to strike. When an enterprise is not thinking proactively, misconfigurations such as this are easily missed. LifeLock may also suffer some brand reputation damage due to the bug as well.”
As for LifeLock, Symantec was informed about the vulnerability and at the time of publishing this article; the vulnerable LifeLock’s website link was removed from the Internet while the main site was up and reachable to customers.
Image credit: Depositphotos