Latest in Gear

Image credit: Alamy

LifeLock ID theft protection leak could have aided identity thieves

The service has a bad track record when it comes to protecting users' sensitive data.
736 Shares
Share
Tweet
Share
Save

Sponsored Links

Alamy

LifeLock's identity theft protection service suffered from a security flaw that put users' identities in jeopardy. The event forced its parent company, Symantec, to pull part of its website* down to fix the issue after it was notified by KrebsOnSecurity. According to Krebs, Atlanta-based security researcher Nathan Reese discovered the vulnerability through a newsletter email he received from the service. Upon clicking "unsubscribe," a page that clearly showed his subscriber key popped up. That allowed Reese to write a script that sequences numbers, which was able to pull keys and their corresponding email addresses from the service.

[Image credit: KrebsOnSecurity]

Reese said:

"If I were a bad guy, I would definitely target [the firm's] customers with a phishing attack because I know two things about them. That they're a LifeLock customer and that I have those customers' email addresses. That's a pretty sharp spear for my spear phishing right there. Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime."

LifeLock's website seems to be working as usual now, but it's unclear if the vulnerability has already been patched. One thing's for sure, though: the service has a horrible track record when it comes to keeping its users' sensitive info private. Back in 2014, it had to pull down its mobile apps after finding out that they may not have been compliant with payment card security standards. A year before Symantec purchased the company in 2016, the FTC also slapped it with a $100 million fine for not doing enough to protect personal data, including users' social security, credit card and bank account numbers.

*Update: A LifeLock spokesperson clarified that the company only took down the page with the vulnerability and not the whole website.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
736 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's Guide to Privacy

Engadget's Guide to Privacy

View
Google Chrome now offers better theme customization and tab grouping

Google Chrome now offers better theme customization and tab grouping

View
Leaked screenshots show how Apple's tracker tags might work

Leaked screenshots show how Apple's tracker tags might work

View
Tesla targets Nürburgring EV record next month

Tesla targets Nürburgring EV record next month

View
Mark Zuckerberg visited Donald Trump at the White House

Mark Zuckerberg visited Donald Trump at the White House

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr