| | | Effective PR

Now Norton's LifeLock Password Manager has been breached.

Editorial Staff

Less than month after LastPass admitted a large scale breach of its much vaunted password manager, the old man of computer security, Norton, has said that its LifeLock password manager has also been breached. Is there an industry-wide problem?

It's a rhetorical question. Password managers are like bank accounts - their inherent value makes them attractive to those who hack for their own use and/or for resale.

In fact, the information obtained from password managers is exactly that used by criminals aiming to mount an attack similar to that mounted on PayPal last month (see here

Norton - which is now known by the completely forgettable name of "Gen Digital" having been known as a division of Symantec Corp. for many years - says that the breach arose from outside its own systems and, like breach at PayPal arose because someone outside the company obtained usernames and passwords on the internet and was able to try combinations until some were successful. The first attack was on 1st December but on 12 December an "unusually large volume" of failed login attempts were made in a so-called "credential stuffing" attack. It is noticeable that the attack on Norton coincided with the attack on PayPal. There is, however, no information as to whether the attacks were coordinated.

Norton says that accounts were compromised but did not, initially, disclose how many. However, a spokesman for Gen Digital told Bleeping Computer that the company services some 500 million customers and that 925,000 accounts have been "secured." That's fine but where there is considerable cause for concern is that those are both "inactive and active" accounts implying that the company retains information after the business relationship has ended or been abandoned by the customer.

Given that Norton's mobile product went through a period of heavy discounting and trial offers several years ago, and that the USA does not have anything like GDPR to make sure obsolete data is deleted, it is possible that some of the information may relate to people who had accounts for a very short time perhaps a decade ago. There is no information on this. The saving grace is that such old accounts are unlikely to be associated with the LifeLock product and therefore may have been outside the hackers' area of interest.

Norton made its disclosure to customers and sent a copy to the Attorney General of Vermont, Charity R. Clark. That letter is here: https://ago.vermont.gov/blog/2...

Like PayPal, the company says "we are making a credit monitoring service available to you and that it has reset the passwords on affected accounts." The letter also says that the attackers might have obtained details stored in the private vaults. Like PayPal, the company says that customers should implement two factor authentication.

---------------- Advertising ----------------