NortonLifeLock Says Customer Accounts were Compromised in Credential-Stuffing Attack

NortonLifeLock customers have been warned that their accounts may have been compromised in a security breach.

The company, which specialises in antivirus software and identity theft protection, said that 925,000 people were targeted in a credential-stuffing attack.

Customers’ full names, phone numbers and mailing addresses are thought to have been exposed in the incident. The attackers might also have had access to Norton Password Manager users’ private vault data, which contains stored passwords for other online accounts.

Gen Digital, the parent company behind NortonLifeLock, confirmed that the breach began on 1 December 2022 and that all affected accounts have since between secured. However, it’s unclear what damage the cyber criminals were able to inflict before the vulnerability was closed.

How did this happen?

In a letter shared with the Office of the Vermont Attorney General, Gen Digital stated that the attack didn’t result from a breach of its own IT environment. Rather, a cyber criminal used credentials that they had purchased from the dark web in an attempt to log in to Norton customer accounts.

“Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account,” NortonLifeLock said.

The organisation detected “an unusually large volume” of failed login attempts on 12 December 2022, indicating that users were being targeted in credential-stuffing attacks.

Credential stuffing refers to the practice of using lists of previously exposed usernames and passwords to access other sites.

The technique works because many people reuse their login credentials on multiple sites. If one account is compromised, attackers can use the information elsewhere.

Are customers at risk?

It’s unclear exactly what the cyber criminals’ motivation was for this attack, and therefore we don’t know what they planned to do with the compromised NortonLifeLock accounts.

In theory, they could adjust users’ settings to disable anti-malware warnings, then launch phishing campaigns designed to infect victims’ devices. However, this would be a long-winded and time-consuming attack method, particularly given the ease with which attackers can infect people without having to compromise their security tools.

It’s more likely that the crooks’ main target was the information stored in the Norton Password Manager feature. This would give them login credentials for a variety of other accounts that are more conducive to cyber attacks.

For example, individuals might use the tool to store login details for online banking or cryptocurrency accounts, which would be highly valued by scammers for the potential to access funds directly.

Social media accounts are also a common target, because compromised accounts can be used to promote scams and potentially trick other people into also handing over their login credentials.

Gen Digital noted that the incident could lead to other compromised accounts, the loss of digital assets and the exposure of secrets.

In a statement, the organisation said: “We have been monitoring closely, flagging accounts with suspicious login attempts and proactively requiring those customers to reset their passwords upon login along with additional security measures to protect our customers.

“We continue to work with our customers to help them secure their accounts and personal information.”

Although these steps will prevent crooks from gaining further access to compromised accounts, the chances are that the criminals have already exfiltrated the data and saved it elsewhere.

Users must therefore continue to act with caution, and should strongly consider enabling multi-factor authentication.

This is a security mechanism that protects passwords by requiring users to provide a second piece of information when logging in. This is typically either ‘something you have’ (such as a code sent to your phone) or ‘something you are’ (such as a fingerprint scan).

By doing this, you mitigate the risk of password compromise. An attacker might have your login details, but they still need additional information to access your account.

It’s one of several measures that we recommend in our Information Security and Cyber Security Staff Awareness E-Learning Course.

This online training course is the ideal way to teach your employees about data protection threats.

The content, which is certified by the UK’s NCSC (National Cyber Security Centre), helps embed effective information security and cyber security habits, and reduces the risk of data breaches.

Those who take the course will learn about specific threats that they face, such as malware and phishing, and the steps that individuals can take to combat these threats.