If you happen to use Norton lifeLock as a password supervisor, your account might have been compromised.
Based on laptop beepGen, the corporate behind Norton LifeLock (and different manufacturers together with Avast, Avira, AVG, ReputationDefender, and CCleaner), is sending knowledge breach notifications to a few of its clients warning that their accounts have been accessed following a hack. credential stuffing.
So Norton LifeLock was hacked?
I might say that’s an unfair method of describing what occurred.
Norton LifeLock did not screw something up almost as badly as fellow password supervisor LastPass did in its latest horrendous assault.
In actual fact, within the notification despatched to affected Norton LifeLock clients, the corporate says:
Our personal programs weren’t compromised. Nonetheless, we strongly consider that an unauthorized third occasion is aware of and has used your username and password on your account.
However how did a hacker discover out the username and password for thus many individuals’s LifeLock accounts?
Credential stuffing assaults make the most of the truth that many individuals nonetheless make the error of reusing the identical passwords somewhere else on the Web.
If a service is breached and its password database stolen, hackers can ship these credentials to different on-line accounts, to see if they’ll unlock one thing fascinating elsewhere.
When did this assault occur?
The corporate says unauthorized entry to buyer accounts started on December 1, 2022, however issues heated up significantly on December 12 when there was a “excessive quantity” of failed account logins.
What did hackers entry in Norton LifeLock accounts?
The information breach notification says that customers’ names, cellphone numbers, and mailing addresses have been accessed, however TechCrunch reviews that the corporate “can’t rule out that the intruders additionally accessed clients’ saved passwords.”
What might be executed to cease this kind of assault?
Effectively, the very first thing is to STOP REUSING PASSWORDS (Sorry for yelling, however I have been saying this for years…)
The opposite factor you are able to do is allow two-factor authentication (2FA) in your accounts, which provides an additional layer of safety even when your password falls into the mistaken arms.
Norton presents three flavors of 2FA to its account holders: cell authenticator app, safety key, or cell phone quantity. Both of the primary two 2FA strategies is a greater choice than cell phone quantity, however frankly, any 2FA is healthier than no 2FA.
Which brings me to the following level. Why does not Norton LifeLock insist that customers allow two-factor authentication for their very own safety?
It definitely looks like it could make life tougher for hackers…
Proper. 2FA is not 100% bulletproof, however it does drive criminals to work tougher on their assaults, which might be unappealing to them, particularly on a big scale.
So what number of accounts did the hackers entry?
laptop beep reviews that Gen claims to have “secured 925,000 inactive and energetic accounts that will have been topic to credential stuffing assaults.”
Virtually one million!
Sure, it’s a vital assault. The corporate says it’s monitoring the state of affairs carefully, flagging accounts with suspicious login makes an attempt and proactively asking clients to reset their passwords.
It additionally recommends that 2FA be enabled, however on the threat of repeating myself, I might actually wish to see extra corporations insist on using two-factor authentication. In the end, it not solely helps shield buyer accounts, however may scale back reputational injury to the focused service.
Which, I might say, is especially essential whenever you’re coping with a service that is speculated to retailer your passwords securely.
Did you discover this text attention-grabbing? Follow Graham Cluley on Twitter or Mastodon to learn extra of the unique content material we publish.
Ugh! Norton LifeLock password manager accounts accessed by hackers • Graham Cluley