what’s happened?
If you use Norton lifeLock as your password manager, your account may have been compromised.
Wow. what? ? ?
according to beeping computerGen, the company behind Norton LifeLock (and other brands such as Avast, Avira, AVG, ReputationDefender, and CCleaner), issued a data breach notification warning that accounts were accessed following a credential stuffing attack. Sending to some customers.
Has Norton LifeLock been hacked?
I think it’s unfair to explain what happened.
Norton LifeLock didn’t do as badly as fellow password manager LastPass did in its recent horrific hack.
In fact, in a notice sent to affected NortonLifeLock customers, the company said:
Our own system was not compromised. However, we strongly believe that an unauthorized third party knows and is misusing your account username and password.
But how did hackers find usernames and passwords for so many people’s LifeLock accounts?
Credential stuffing attacks take advantage of the fact that many people still make the mistake of reusing the same passwords in different places on the Internet.
If one service is compromised and its password database stolen, hackers can fling those credentials to other online accounts to see if they can unlock something else they want.
When did this attack occur?
According to the company, unauthorized access to customer accounts began on December 1, 2022, but things really heated up on December 12 with a “massive” account login failure.
What did the hackers access on my Norton LifeLock account?
The data breach notification states that the user’s name, phone number, and mailing address were accessed. TechCrunch The company reports that it “cannot rule out the possibility that the intruder also accessed the customer’s stored passwords.”
Goku goku!
What can be done to prevent this kind of attack?
First, we need to stop reusing passwords (sorry I’ve been saying that for years…)
Another thing you can do is enable two-factor authentication (2FA) on your account. This provides an extra layer of protection even if your password is compromised.
sign up for newsletterSecurity news, advice and tips.
Norton offers account holders three types of 2FA: Mobile Authenticator App, Security Key, and Mobile Number. Both of his first two 2FA methods are better options than a mobile number, but frankly, he’s better off with 2FA than no 2FA at all.
Which brings me to my next point. Why doesn’t NortonLifeLock require her to enable two-factor authentication for her own protection?
It sure seems like it would make a hacker’s life harder…
right. 2FA doesn’t prevent him 100%, but forces criminals to put more effort into attacking.
So how many accounts did the hackers access?
beeping computer Gen claims to have “protected 925,000 inactive and active accounts that may have been targeted by credential stuffing attacks.”
Almost a million!
Yes, it’s quite an attack. The company is closely monitoring the situation, flagging accounts with suspicious login attempts and proactively asking customers to reset their passwords.
We also recommend enabling 2FA, but again, we strongly hope more companies will insist on using two-factor authentication. Ultimately, it not only helps protect customer accounts, but it can also reduce damage to the reputation of the service in question.
I would argue that this is especially important when it comes to services that are supposed to store passwords securely.
Did you find this article interesting? Follow Graham Cluley on Twitter Or you can read more exclusive content we post on Mastodon.
