LifeLock's identity theft protection service suffered from a security flaw that put users' identities in jeopardy. The event forced its parent company, Symantec, to pull part of its website* down to fix the issue after it was notified by KrebsOnSecurity. According to Krebs, Atlanta-based security researcher Nathan Reese discovered the vulnerability through a newsletter email he received from the service. Upon clicking "unsubscribe," a page that clearly showed his subscriber key popped up. That allowed Reese to write a script that sequences numbers, which was able to pull keys and their corresponding email addresses from the service.
[Image credit: KrebsOnSecurity]
"If I were a bad guy, I would definitely target [the firm's] customers with a phishing attack because I know two things about them. That they're a LifeLock customer and that I have those customers' email addresses. That's a pretty sharp spear for my spear phishing right there. Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime."
LifeLock's website seems to be working as usual now, but it's unclear if the vulnerability has already been patched. One thing's for sure, though: the service has a horrible track record when it comes to keeping its users' sensitive info private. Back in 2014, it had to pull down its mobile apps after finding out that they may not have been compliant with payment card security standards. A year before Symantec purchased the company in 2016, the FTC also slapped it with a $100 million fine for not doing enough to protect personal data, including users' social security, credit card and bank account numbers.
*Update: A LifeLock spokesperson clarified that the company only took down the page with the vulnerability and not the whole website.