If you use Norton lifeLock as your password manager, your account may have been compromised.
Wow. what? ? ?
according to beeping computerGen, the company behind Norton LifeLock (and other brands such as Avast, Avira, AVG, ReputationDefender, and CCleaner), issued a data breach notification warning that accounts were accessed following a credential stuffing attack. Sending to some customers.
Has Norton LifeLock been hacked?
I think it’s unfair to explain what happened.
Norton LifeLock didn’t do as badly as fellow password manager LastPass did in its recent horrific hack.
In fact, in a notice sent to affected NortonLifeLock customers, the company said:
Our own system was not compromised. However, we strongly believe that an unauthorized third party knows and is misusing your account username and password.
But how did the hackers find the usernames and passwords for so many people’s LifeLock accounts?
Credential stuffing attacks take advantage of the fact that many people still make the mistake of reusing the same passwords in different places on the Internet.
If one service is compromised and its password database stolen, hackers can fling those credentials to other online accounts to see if they can unlock something else they want.
When did this attack occur?
According to the company, unauthorized access to customer accounts began on December 1, 2022, but things really heated up on December 12 with a “massive” account login failure.
What did the hackers access on my Norton LifeLock account?
The data breach notification states that the user’s name, phone number, and mailing address were accessed. TechCrunch report The company said it “cannot rule out the possibility that an intruder also accessed a customer’s stored passwords.”
What can be done to prevent this kind of attack?
First, we need to stop reusing passwords (sorry I’ve been saying that for years…)
Another thing you can do is enable two-factor authentication (2FA) on your account. This provides an extra layer of protection if your password is compromised.
What Norton Offers 3 flavors of 2FA The account holder – a mobile authenticator app, security key, or mobile phone number. First he has two 2FA methods both of which are better options than a mobile number but frankly he is better with 2FA than not using 2FA at all.
Which brings me to my next point. Why doesn’t NortonLifeLock require her to enable two-factor authentication for her own protection?
It sure seems like it would make a hacker’s life harder…
right. 2FA doesn’t prevent him 100%, but forces criminals to put more effort into attacking.
So how many accounts did the hackers access?
beeping computer Gen claims to have “protected 925,000 inactive and active accounts that may have been targeted by credential stuffing attacks.”
Almost a million!
Yes, it’s quite an attack. The company said it is closely monitoring the situation, flagging accounts with suspicious login attempts and proactively asking customers to reset their passwords.
We also recommend enabling 2FA, but again, we strongly hope more companies will insist on using two-factor authentication. Ultimately, it not only helps protect customer accounts, but it can also reduce damage to the reputation of the service in question.
I would argue that this is especially important when it comes to services that are supposed to store passwords securely.
Did you find this article interesting? Follow Graham Cluley on Twitter Also Mastodon To read more about the exclusive content we post.