LifeLock ID leaks could have helped information thieves

Share this…

This service carries a bad reputation about sensitive information protection

LifeLock’s identity theft protection service suffered a security flaw that compromised the identity of its users, as reported by experts in enterprise data protection services from the International Institute of Cyber Security. The event forced Symantec, its parent company, to withdraw part of its website to solve the problem after finding out the flaw.

According to reports, the vulnerability was discovered through the company’s newsletter that was received by a user of the service. By clicking on the “unsubscribe” option of the newsletter, a page showing the subscriber’s key appeared. That allowed the user to create a script that was able to extract keys and email addresses for other users.

“If I were a bad guy, I would definitely implement a phishing campaign aimed at the company users, because I know a couple of things about them: I know they are LifeLock customers and I know their email addresses. That’s a great advantage to perform a spear phishing attack. In addition, I definitely believe that the target market of LifeLock is composed of easily identifiable people to carry out cyber attacks”, mentions the user, who seems to have knowledge about information security and enterprise data protection services.

LifeLock website seems to be working as usual, but it is unclear whether the vulnerability has already been patched. Although one thing is certain, the service has a terrible history when it comes to maintaining the confidentiality of its users’ sensitive information.

In 2014, LifeLock had to withdraw its mobile apps after discovering that they didn’t comply with the security standards for payment card information. A year before Symantec bought the company in 2016, the US Federal Trade Commission (FTC) also imposed a $100M fine for not doing enough to protect its users’ personal data, including social security numbers, credit card and bank account information.

Reports from specialists in enterprise data protection services mention that it is possible for the LifeLock website to continue working while solving the vulnerability, with only limiting some functions of its online servers.