Skip to main content

Lifelock Customers At Risk Of Email Information Exposure

By August 8, 2018June 3rd, 2022Cybersecurity

A dark day for Lifelock, the Identity Theft Protection company.  It has recently come to light that the company may have accidentally exposed their customers to additional attacks.

They recently fixed a vulnerability on their website that allowed anyone with a browser to index email addresses associated with their entire customer database. The vulnerability can even unsubscribe users from company communications designed to keep them safe and keep them apprised of changes they need to be aware of.

In addition to that, the vulnerability made it possible for hackers to initiate highly targeted phishing campaigns and create a convincing spoof of the Lifelock brand.

Symantec, which purchased Lifelock in late 2016, took the company’s website offline not long after being contacted by KrebsOnSecurity, which is how they became aware of the vulnerability.

Krebs was made aware of it by Nathan Reese, a freelance security consultant based out of Atlanta.  Nathan put together a proof of concept script that was capable of downloading the email addresses of all 4.5 million of Lifelock’s customers and then presented it to Krebs.

Reece aborted his script after downloading 70 emails so as not to set off alarm bells at Lifelock, and had this to say about his discovery:

“If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them.  That they’re a LifeLock customer and that I have those customers’ email addresses.  That’s a pretty sharp spear for my spear phishing right there.  Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime.”

He’s not wrong, so it’s good that Reece isn’t a bad guy.

There’s no evidence that any hackers were aware of the issue, or made off with any of Lifelock’s customer emails. However, given the existence of the now-patched flaw, it pays to be suspicious of any email that appears to be coming from Lifelock for the short to medium term, at least.

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.