- A vulnerability in LifeLock’s website allowed anyone with a web browser to catalogue the company’s customers’ email addresses.
- LifeLock has around 4.5 million customers accounts.
The popular identity theft protection service provider Lifelock reportedly exposed the email addresses of millions of its customers. The breach was caused by a vulnerability in LifeLock’s website, which allowed anyone with a web browser to catalogue LifeLock customers’ email addresses and even unsubscribe customers from any communications from LifeLock.
The vulnerability was discovered by Atlanta-based freelance security researcher Nathan Reese after he received an email to the address he had provided to LifeLock - the email’s message offered a discount to renew his membership, cybersecurity journalist Brian Krebs reported.
“If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them,” Reese said, Krebs reported. “That they’re a LifeLock customer and that I have those customers’ email addresses. That’s a pretty sharp spear for my spear phishing right there. Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime.”
Symantec, which acquired LifeLock in 2016, took the LifeLock website offline after Krebs alerted the firm about the bug. Symantec has since fixed the issue.
"The issue has been fixed and was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe from marketing emails," a Symantec spokesperson said, Mashable reported. "Based on our investigation, aside from the 70 email address accesses reported by the researcher, we have no indication at this time of any further suspicious activity on the marketing opt-out page."
However, it is still unclear as to how many customers were impacted by the breach.
Breaches caused by misconfigurations have become increasingly common over the past few years.
Numerous popular retail brands, including Walmart, Saks Fifth Avenue and others exposed customer and corporate data due to similar issues. However, in this case, it appears that the vulnerability was the result of shoddy website security.
“The design of the company’s site suggests that whoever put it together lacked a basic understanding of Web site authentication and security,” Krebs said in his blog.