Thousands of Norton LifeLock customers had their accounts compromised in recent weeks, potentially allowing criminal hackers to access customer password managers, the company revealed in a recent data breach notification.
In a message to customers, Gen Digital, the parent company of Norton LifeLock, said the likely culprit was a credential stuffing attack — using previously exposed or compromised credentials to break into accounts on different sites and services that share the same passwords — rather than a compromise of its systems. That’s why two-factor authentication, which is Norton LifeLock offersis recommended, as it prevents attackers from accessing someone’s account using just their password.
The company said it discovered the intruders had already compromised accounts on Dec. 1, nearly two weeks before its systems discovered a “large number” of failed logins to customer accounts on Dec. 12.
“By accessing your account with your username and password, the unauthorized third party may have viewed your first name, last name, phone number and mailing address,” the data breach notification read. The notification was sent to customers who believe they are using the password management feature, because the company cannot rule out that the intruders also gained access to customers’ stored passwords.
Gen Digital said it had sent messages to about 6,450 customers whose accounts had been compromised.
Norton LifeLock provides identity protection and cybersecurity services. It is the latest customer password theft incident in recent times. Earlier this year, password management giant LastPass confirmed a data breach in which intruders compromised its cloud storage and stole millions of customers’ encrypted password vaults. In 2021, the company behind a popular corporate password manager called Passwordstate was hacked into pushing a compromised software update to its customers, allowing the cybercriminals to steal customers’ passwords.
That said, password managers are still widely recommended by security professionals for generating and storing unique passwords, as long as proper precautions and safeguards are in place to limit the consequences in the event of a compromise.
