NortonLifeLock Warns That Hackers Breached Password Manager Accounts

An anonymous reader quotes a report from BleepingComputer: Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks. According to a letter sample shared with the Office of the Vermont Attorney General, the attacks did not result from a breach on the company but from account compromise on other platforms. "Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account," NortonLifeLock said. "This username and password combination may potentially also be known to others."

More specifically, the notice explains that around December 1, 2022, an attacker used username and password pairs they bought from the dark web to attempt to log in to Norton customer accounts. The firm detected "an unusually large volume" of failed login attempts on December 12, 2022, indicating credential stuffing attacks where threat actors try out credentials in bulk. By December 22, 2022, the company had completed its internal investigation, which revealed that the credential stuffing attacks had successfully compromised an undisclosed number of customer accounts: "In accessing your account with your username and password, the unauthorized third party may have viewed your first name, last name, phone number, and mailing address." For customers utilizing the Norton Password Manager feature, the notice warns that the attackers might have obtained details stored in the private vaults. Depending on what users store in their accounts, this could lead to the compromise of other online accounts, loss of digital assets, exposure of secrets, and more. Norton has reset passwords on impacted accounts and implemented additional measures to counter the malicious attempts. They're recommending customers enable two-factor authentication and take up the offer for a credit monitoring service.

do people really use this shit?

[bloodhawk]

Are there really people out there still stupid enough to use Norton/symantec/gen digital or whoever the fuck they are this week.

Re: do people really use this shit?

[DivineKnight]

Yes. Sysadmins too. 'Tis a shame.

Re:do people really use this shit?

[thomn8r]

Yes. They advertise a lot on right wing AM radio. It's the same morons who buy My Pillow slippers and sheets.

Don't know why you got modded down - this is 100% true

Re: do people really use this shit?

[Plugh]

Yeah some shmucks even paid money for LastPass.

Re: What PW manager is good then?

[Anonymouse Cowtard]

I carry all mine in a password locked zip file on an old phone with no SIM card and Bluetooth and wifi disabled.

Re:What PW manager is good then?

[F.Ultra]

KeePass/KeePassX/KeePassXC, completely free, open source and the mechanics is based on the old Password Manager by Bruce Schneier.

Re:

[Anonymous Coward]

something that is not in control of one of these incompetent companies. So KeePass, yes an encrypted Excel spreadsheet many times is also better. basically you want a system that doesn't rely on the company to keep your shit secure in their backend.

Re:

[Fly Swatter]

The one you use that no one knows about, and doesn't store in the cloud. Don't trust a third party.

Even if it is index cards in your real life wallet. If it is protecting something important it is worth having to type it in.

Re:What PW manager is good then?

[battingly]

The Password Manager did not fail. People gave away their username/password by reusing a password they use on another site which was compromised.

Re:What PW manager is good then?

[groobly]

Willie Sutton had it right: "I rob banks because that is where the money is."

What is more enticing to a hacker, a place with millions of passwords, or a place with only a few?

Keeping your passwords on your own machine is safer because you are not of great interest to hackers who are looking for passwords. It also helps if you don't call the file "passwords.txt".

Password reuse ???

[FeelGood314]

The details seem light but I suspect this is a case of password reuse. Someone got a large number of usernames and passwords and then decided to try these against NortonLifeLock. I'm also going to further guess that they then tried some variations of the passwords. Gen Digital noticed an unusually high number unsuccessful login attempts to NortonLifeLock and have notified their users . NortonLifeLock seems to be some sort of personal online security support company but how and what they do I don't understand even after visiting their sight. Regardless, this doesn't appear to be a failing of Gen Digital and is an example of them actively protecting their users.

Peter Norton -- decades later

[blahbooboo2]

It's impressive that "Norton" as an entity has survived this long -- from the start of the personal computer explosion to present day. Norton Utilities was a great product that I guess was so good it survived countless horribly made Norton products.

Re:

[WankerWeasel]

Just yesterday I was driving by an old Symantec building and thinking how kids today will never understand using Norton Utilities to repair your drive. They'll never understand that you'd use it to defrag your drive to so the computer would be faster and it was noticeable. It's also funny that most of us never backed up before doing that, which is scary. But we also didn't have our lives on computers in the same way we do now.

Re:

[gwjc]

Yeah, when you think back to the eighties and the ubiquitous Norton Utilities, unerase and commander, it's weird that they eventually morphed into stuff like this.

Re:

[charliebear]

Loved PcAnywhere, made remote access super easy back in the day

Re:

[Anonymous Coward]

Yes. And your private data will be stored in a basement at Mar-a-Lago, surrounded by classified document folders as a distraction. Perhaps he could scatter a few Matchbox cars Corvette models in a nod to bipartisan tomfoolery.

Re:

[account_deleted]

Comment removed based on user account deletion

Not the first time

[Slashythenkilly]

Lifelock's first scrape was when its CEO decided to anounce his name, SSN, DOB as a testiment to how safe it was. Criminals let him know how to game the system.