925,000 Norton LifeLock Accounts Targeted by Credential-Stuffing Attack (cnet.com) 44
"Thousands of people who use Norton password manager began receiving emailed notices this month alerting them that an unauthorized party may have gained access to their personal information," reports CNET, "along with the passwords they have stored in their vaults.
"Gen Digital, Norton's parent company, said the security incident was the result of a credential-stuffing attack rather than an actual breach of the company's internal systems." Gen's portfolio of cybersecurity services has a combined user base of 500 million users — of which about 925,000 active and inactive users, including approximately 8,000 password manager users, may have been targeted in the attack, a Gen spokesperson told CNET via email....
Norton's intrusion detection systems detected an unusual number of failed login attempts on Dec. 12, the company said in its notice. On further investigation, around Dec. 22, Norton was able to determine that the attack began around Dec. 1. "Norton promptly notified both regulators and customers as soon as the team was able to confirm that data was accessed in the attack," Gen's spokesperson said.
Personal data that may have been compromised includes Norton users' full names, phone numbers and mailing addresses. Norton also said it "cannot rule out" that password manager vault data including users' usernames and passwords were compromised in the attack....
Norton is also offering access to credit monitoring services for affected users, according to its letter to customers.
"Gen Digital, Norton's parent company, said the security incident was the result of a credential-stuffing attack rather than an actual breach of the company's internal systems." Gen's portfolio of cybersecurity services has a combined user base of 500 million users — of which about 925,000 active and inactive users, including approximately 8,000 password manager users, may have been targeted in the attack, a Gen spokesperson told CNET via email....
Norton's intrusion detection systems detected an unusual number of failed login attempts on Dec. 12, the company said in its notice. On further investigation, around Dec. 22, Norton was able to determine that the attack began around Dec. 1. "Norton promptly notified both regulators and customers as soon as the team was able to confirm that data was accessed in the attack," Gen's spokesperson said.
Personal data that may have been compromised includes Norton users' full names, phone numbers and mailing addresses. Norton also said it "cannot rule out" that password manager vault data including users' usernames and passwords were compromised in the attack....
Norton is also offering access to credit monitoring services for affected users, according to its letter to customers.
Now that's scary stuff (Score:3)
Hacked accounts are one thing, but being able to get into a whole password manager's account storage is pretty scary. It would not only let them know passwords into accounts, but also patterns you may use for passwords generally so potentially give access to systems not even included in that password manager or ones you use in the future...
Also would let them know instantly a whole set of sites they can take advantage of logging in with your info, I guess two factor would stop soem attacks but that's a pretty thin wall protecting you from widespread disaster.
Re: (Score:2)
Re: (Score:3)
Isn't LifeLock mostly about protecting things like your credit rating and preventing people from opening bank accounts in your name?
In which case they probably hold a lot of sensitive personal data. Name, address, social security number etc. While passwords could at least theoretically be encrypted, that personal data will need to be accessible to Norton in order to notify all the various agencies to put a lock on the user's account etc.
Re: (Score:2)
Is it just me? (Score:4, Insightful)
Or does having a third party "hold onto your passwords for you" sound like pure unmitigated stupidity?
Re: (Score:3)
That's amazing, I've got the same password on my luggage!
Re: (Score:2)
Yes. It is. Add to the fact that the Norton Virus Delivery System is 'guarding' your passwords then it is double stupid.
Re: (Score:2)
Why? Assuming your vault really is encrypted and only you have the key, the only issue here would be if someone was hilariously stupid enough to use the same password in the password manager as on the hacked sites from which the credentials used in this credential stuffing attempt come.
What is the alternative? Having one account, possibly with the government, against which all other services are required, by law, to authenticate?
Doing it yourself? And then potentially not being up to snuff with your own sec
Re: (Score:3)
Well, I would tell you, but then I would have to kill you.
Bad jokes and puns aside, my suggestion is to create your own method of security for said information. I have a method I use but I don't want to talk about it because it is pretty secure and it hasn't been breached yet. I will say that the phrase 'Security Through Obscurity' is a major clue though. Add to that various ideas for stenography and I am sure you can come up with something that will work for you given your particular situation.
Sometimes th
Re: (Score:2)
Why? Assuming your vault really is encrypted and only you have the key, the only issue here would be if someone was hilariously stupid enough to use the same password in the password manager as on the hacked sites from which the credentials used in this credential stuffing attempt come.
You would think so, but what Norton wrote is:
In accessing your account with your username and password, the unauthorized third party may have viewed your first name, last name, phone number, and mailing address. Our records indicate that you utilize our Norton Password Manager feature and, we cannot rule out that the unauthorized third party also obtained details stored there especially if your Password Manager key is identical or very similar to your Nodon account password.
Perhaps they think the encypted password vaults may have been download by the attackers, and they are worried about offline brute force attacks.
Re: (Score:2)
Not if done right. We now have seen several instances of "big" names making absolute novice mistakes though, likely through sheer incompetence. So no, I would not hand my passwords to any tool that is not completely on my devices.
Re: (Score:2)
If done right, it is more secure than trying to remember the password for every account. However, the key phrase is "if done right". A password manager needs a lot of thought and implementation:
* Are there actual useful levels of encryption between the password stored and the database sitting on storage? 1Password solves this by their secondary secret key, where if the database (or a backup) is filched, there is no way to decrypt it other than to attack endpoints.
* Barring a password + a key, does the
Comment removed (Score:5, Informative)
Re: (Score:2)
Comment removed (Score:5, Insightful)
Re: (Score:2)
I do not allow brute forcing of passwords on my systems. You won't get far. I'm a little guy. You'd think Norton could handle it...
Indeed. Seems Norton has no clue how this works. The same mechanisms that work against brute forcing work also against credential stuffing.
Re: (Score:2)
Even though there isn't much a place can do against credential stuffing attacks, it would be nice if Norton offered the ability to have a second decryption key (which is generated clientside, the user saves that on their devices and in a recovery folder), similar to 1Password does, in combination with the password. This would make credential stuffing attacks pointless, and even getting the backend databases useless for an attacker unless they managed to get a foothold on endpoints.
As time goes on, attacks
Norton is the problem (Score:2)
Wouldn't be surprised if > 90% of these users were suckered into using Norton because that shit came preinstalled on their new computer behaving like ransomware, showing scary popups that their computer might be at risk if they didn't cough up for a subscription.
So Norton is incompetent as well? (Score:3)
Because credential stuffing is easy to detect and to stop. And, of course, you prevent users using passwords from known lists. Also, you run the attack yourself and require password changes in case some larger new lists of bad passwords become known. All not hard to do. All requires you to know what you are doing though.
The only possibility I see for this being a problem is that Norton has no clue how password security works. Another "security" company incompetent with regards to security. How pathetic.
life lock (Score:3)
The marketing guys must really love the name "lifelock", I can only associate it with the many negative things I've read about it, I would have thought they would rebrand at this point