What’s occurred?
If you employ Norton lifeLock as your password supervisor, your account could have been compromised.
Woah. What???
According to Bleeping Computer, Gen, the corporate behind Norton LifeLock (and different manufacturers together with Avast, Avira, AVG, ReputationDefender, and CCleaner), is sending knowledge breach notifications to a few of its clients warning that their accounts have been accessed following a credential-stuffing assault.
So Norton LifeLock obtained hacked?
I’d argue that’s an unfair method to describe what’s occurred.
Norton LifeLock didn’t screw up something like as badly as fellow password supervisor LastPass did in its current horrendous hack.
In truth, within the notification being despatched to affected Norton LifeLock clients, the corporate says:
Our personal techniques weren’t compromised. However, we strongly consider that an unauthorized third celebration is aware of and has utilized your username and password in your account.
But how did a hacker discover out the username and password to so many individuals’s LifeLock accounts?
Credential-stuffing assaults reap the benefits of the truth that many individuals nonetheless make the error of reusing the identical passwords somewhere else on the web.
If one service will get breached and its password database stolen, hackers can fling these credentials at different on-line accounts – to see if they may unlock one thing fascinating elsewhere.
When did this assault occur?
The firm says that the unauthorised entry to buyer accounts started on December 1 2022, however issues heated up significantly on December 12 when a “large volume” of failed account logins occurred.
What did the hackers entry in Norton LifeLock accounts?
The knowledge breach notification says that customers’ names, cellphone numbers, and mailing addresses have been accessed, however TechCrunch reviews that the corporate “cannot rule out that the intruders also accessed customers’ saved passwords.”
Gulp!
What could be finished to cease this sort of assault?
Well, the very first thing is to STOP REUSING PASSWORDS (Sorry for shouting, however I’ve been saying this for years…)
The different factor you are able to do is allow two-factor authentication (2FA) in your accounts, which provides an extra layer of safety even when your password falls into the improper fingers.
Sign as much as our e-newsletter
Norton gives three flavours of 2FA to its account holders – cell authentication app, safety key, or cell phone quantity. Either of the primary two 2FA strategies are a greater choice than cell phone quantity, however frankly any 2FA is best than no 2FA in any respect.
Which brings me to the subsequent level. Why doesn’t Norton LifeLock insist upon customers enabling two-factor authentication for their very own safety?
It actually feels like it will make life tougher for hackers…
Right. 2FA isn’t 100% bulletproof, however it does power criminals to place extra effort into their assaults – which can be unattractive to them, significantly at scale.
So what number of accounts have been accessed by the hackers?
Bleeping Computer reviews that Gen claims to have “secured 925,000 inactive and active accounts that may have been targeted by credential-stuffing attacks.”
Almost 1,000,000!
Yup, it’s a big assault. The firm says that it’s monitoring the scenario intently, flagging accounts with suspicious login makes an attempt, and proactively asking clients to reset their passwords.
It can also be recommending that 2FA is enabled, however – prone to repeating myself – I would love to see extra firms insist on using two-factor authentication. Ultimately it not solely helps to guard buyer accounts, however it may possibly additionally cut back reputational injury to the focused service.
Which, I’d argue, is especially essential in the case of a service which is meant to retailer your passwords securely.
Found this text fascinating? Follow Graham Cluley on Twitter or Mastodon to learn extra of the unique content material we submit.