NortonLifeLock Unlocked, Making Life Worse For Their Customers
Living The Bad Life
Continuing the trend of password managers being compromised, if you are a NortonLifeLock user you have already received, or are about to receive, notification that they have been breached badly.
Via Bleeping Computer:
Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks.
Unfortunately the breach happened in early December, and we are just finding out about it now. While Norton did reset the passwords of all effected accounts, the attackers likely harvested customers first name, last name, phone number, and mailing address. It is also not unthinkable that those who use Norton may use similar passwords on other accounts, which will be vulnerable until those passwords are updated.
Bleeping Computer reached out to Norton in the hopes of finding out the total number of breached accounts but have yet to hear back. It is also unclear as to how the attackers were able to garner the actual passwords and not just the hashes. That, if nothing else, should make you think again about using Norton products.
Update, 01/14/23: A Gen spokesperson has responded to PC Perspective with the following statement:
Our top priority is to help our customers secure their digital lives. Our security team identified a high number of Norton account login attempts indicating credential-stuffing attacks targeting our customers’ accounts, and we are working to help our customers secure their accounts and personal information. Systems have not been compromised, and they are safe and operational, but as is all too commonplace in today’s world for bad actors to take credentials found elsewhere, like the Dark Web, and create automated attacks to gain access to other unrelated accounts. Given the prevalence of login credentials available to bad actors today, it is extremely difficult to ascertain any individual or the combined sources of data that were utilized. We do our best to encourage everyone to practice good password hygiene – strong, unique, complex passwords to help defend their accounts and personal data.
We have been monitoring closely, flagging accounts with suspicious login attempts and proactively requiring those customers to reset their passwords upon login along with additional security measures to protect our valued customers. We continue to work closely with our customers to help them secure their accounts and personal information.
More Tech News From Around The Web
- Buggy Microsoft Defender ASR rule deletes Windows app shortcuts @ Bleeping Computer
- Gaming YouTube Is In Turmoil Thanks To New Violence and Profanity Rules @ Slashdot
- Amid widespread backlash, D&D maker scales back “open” license changes @ Ars Technica
- Years late and 36 cores short of AMD, who are Intel’s 4th-gen Xeons even for? @ The Register
- Third-party Twitter clients stopped working, and nobody’s sure why @ Ars Technica
- Move over, Kraftwerk: These musical instruments really are the robots @ The Register
- US blocks $400m Army HoloLens orders, Microsoft left with a tenth for R&D @ The Register
This article was clearly written by someone who got a push notification and did no further research. Comparing this to the LastPass hack is lazy at best and disingenuous at worst. With LastPass, it was their own system that got breached and they handled it absolutely atrociously. From leaving data unencrypted that should’ve been encrypted to holding information back and telling customers there was nothing they needed to do, it was handled in basically the worst possible way. In this case someone bought a list of usernames and passwords from a different hack and tried to use them to see if they would work. Comparing these two situations is like comparing a valet who left all the cars unlocked and half of them got stolen with a valet who locked the cars like normal but 2 or 3 customers left copies of their keys laying around the event and a couple of cars ended up getting stolen anyway. Apples and Oranges are honestly not different enough to describe the differences between these two hacks.
Curious. Why did you say”Comparing this to the Lastpass hack…” Neither this article or the Bleeping Computer article compared it to Lastpass. I read both articles twice and did not even see a mention of Lastpass, much less a comparison.
Was wondering that myself.
“It is also unclear as to how the attackers were able to garner the actual passwords and not just the hashes.”
Because for a password manager to function for its intended purpose, plaintext passwords must by definition be accessible.