Ugh! Norton LifeLock password supervisor accounts accessed by hackers • Graham Cluley

Ugh! Norton LifeLock password manager accounts accessed by hackers

What’s occurred?

In the event you use Norton lifeLock as your password supervisor, your account could have been compromised.

Woah. What???

Based on Bleeping Computer, Gen, the corporate behind Norton LifeLock (and different manufacturers together with Avast, Avira, AVG, ReputationDefender, and CCleaner), is sending knowledge breach notifications to a few of its prospects warning that their accounts have been accessed following a credential-stuffing assault.

So Norton LifeLock received hacked?

I’d argue that’s an unfair strategy to describe what’s occurred.

Norton LifeLock didn’t screw up something like as badly as fellow password supervisor LastPass did in its current horrendous hack.

In actual fact, within the notification being despatched to affected Norton LifeLock prospects, the corporate says:

Our personal programs weren’t compromised. Nevertheless, we strongly imagine that an unauthorized third celebration is aware of and has utilized your username and password to your account.

However how did a hacker discover out the username and password to so many individuals’s LifeLock accounts?

Credential-stuffing assaults benefit from the truth that many individuals nonetheless make the error of reusing the identical passwords in other places on the web.

If one service will get breached and its password database stolen, hackers can fling these credentials at different on-line accounts – to see if they could unlock one thing fascinating elsewhere.

When did this assault occur?

The corporate says that the unauthorised entry to buyer accounts started on December 1 2022, however issues heated up significantly on December 12 when a “giant quantity” of failed account logins occurred.

What did the hackers entry in Norton LifeLock accounts?

The info breach notification says that customers’ names, telephone numbers, and mailing addresses have been accessed, however TechCrunch reports that the corporate “can’t rule out that the intruders additionally accessed prospects’ saved passwords.”


What might be completed to cease this sort of assault?

Properly, the very first thing is to STOP REUSING PASSWORDS (Sorry for shouting, however I’ve been saying this for years…)

The opposite factor you are able to do is allow two-factor authentication (2FA) in your accounts, which provides a further layer of safety even when your password falls into the improper arms.

EmailSignal as much as our e-newsletter
Safety information, recommendation, and ideas.

Norton gives three flavours of 2FA to its account holders – cell authentication app, safety key, or cell phone quantity. Both of the primary two 2FA strategies are a greater possibility than cell phone quantity, however frankly any 2FA is best than no 2FA in any respect.

Which brings me to the subsequent level. Why doesn’t Norton LifeLock insist upon customers enabling two-factor authentication for their very own safety?

It definitely feels like it could make life tougher for hackers…

Proper. 2FA isn’t 100% bulletproof, nevertheless it does power criminals to place extra effort into their assaults – which can be unattractive to them, notably at scale.

So what number of accounts had been accessed by the hackers?

Bleeping Pc reviews that Gen claims to have “secured 925,000 inactive and lively accounts which will have been focused by credential-stuffing assaults.”

Nearly 1,000,000!

Yup, it’s a big assault. The corporate says that it’s monitoring the scenario carefully, flagging accounts with suspicious login makes an attempt, and proactively asking prospects to reset their passwords.

It is usually recommending that 2FA is enabled, however – prone to repeating myself – I would like to see extra firms insist on using two-factor authentication. In the end it not solely helps to guard buyer accounts, however it could additionally cut back reputational injury to the focused service.

Which, I’d argue, is especially vital with regards to a service which is meant to retailer your passwords securely.

Discovered this text attention-grabbing? Follow Graham Cluley on Twitter or Mastodon to learn extra of the unique content material we submit.

Graham Cluley is a veteran of the anti-virus trade having labored for various safety firms because the early Nineteen Nineties when he wrote the primary ever model of Dr Solomon’s Anti-Virus Toolkit for Home windows. Now an impartial safety analyst, he recurrently makes media appearances and is a global public speaker on the subject of pc safety, hackers, and on-line privateness.
Comply with him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an e-mail.