They recently fixed a vulnerability on their website that allowed anyone with a browser to index email addresses associated with their entire customer database. The vulnerability can even unsubscribe users from company communications designed to keep them safe and keep them apprised of changes they need to be aware of.
In addition to that, the vulnerability made it possible for hackers to initiate highly targeted phishing campaigns and create a convincing spoof of the Lifelock brand.
Symantec, which purchased Lifelock in late 2016, took the company’s website offline not long after being contacted by KrebsOnSecurity, which is how they became aware of the vulnerability.
Krebs was made aware of it by Nathan Reese, a freelance security consultant based out of Atlanta. Nathan put together a proof of concept script that was capable of downloading the email addresses of all 4.5 million of Lifelock’s customers and then presented it to Krebs.
Reece aborted his script after downloading 70 emails so as not to set off alarm bells at Lifelock, and had this to say about his discovery:
“If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them. That they’re a LifeLock customer and that I have those customers’ email addresses. That’s a pretty sharp spear for my spear phishing right there. Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime.”
He’s not wrong, so it’s good that Reece isn’t a bad guy.
There’s no evidence that any hackers were aware of the issue, or made off with any of Lifelock’s customer emails. However, given the existence of the now-patched flaw, it pays to be suspicious of any email that appears to be coming from Lifelock for the short to medium term, at least.