Norton Password Manager Accounts at Risk After AttackPassword Managers Remain Attractive Targets for Hackers
Hackers may have breached password manager accounts of Norton LifeLock customers last month after using a relatively unsophisticated attack known as credential stuffing. Gen Digital, a company co-headquartered in Prague and Tempe, Arizona, that owns the once-storied Norton brand, is notifying customers of LifeLock who also use the Norton Password Manager feature that it detected a threat actor using a list of previously breached username and password combinations in a weekslong attempt to access individual LifeLock accounts.
Password managers are attractive targets for hackers since obtaining decrypted vaults of customer data that potentially contains online banking credentials and credit card numbers could result in a bonanza of stolen money. In December, popular password manager LastPass disclosed that hackers had obtained encrypted copies of customer vaults, meaning nothing other than the strength of customers' master password may stand between the vault contents and the attackers.
Security experts haven't changing their advice for consumers to use password managers but incidents such as the LastPass breach have caused them to urge customers to thwart hackers by turning on multifactor authentication for vault access.
The LifeLock credential stuffing hack affected 6,453 individuals, the company disclosed. "We strongly believe that an unauthorized third party knows and has utilized your username and password for your account," the notification letter warns.
The company says it cannot rule out that the same hackers used the validated logon information to also access Norton Password Manager accounts "especially if your Password Manager key is identical or very similar to your Norton account password."
Gen Digital says it initially detected the credential stuffing attack on Dec. 12 after noticing a high volume of failed login attempts. Further analysis showed the attack began around Dec. 1. Gen Digital assumed its current branding in November, weeks after completing acquisition of Czech antivirus company Avast.
Previously known as NortonLifeLock, the company is the result of a 2019 split of cybersecurity firm Symantec into separate enterprise and consumer-oriented cybersecurity companies. The consumer branch moved its headquarters from Mountain View, California, to Tempe, Arizona, where LifeLock is located. Symantec bought the identity theft protection company in 2017, shortly after the company agreed to pay a $100 million fine to the Federal Trade Commission to settle accusations that it had violated an earlier consent order requiring it to protect users' personal information.
LifeLock co-founder Todd Davis at one point publicized his company's services by revealing his Social Security number, a decision that reportedly led to him becoming a victim of identity theft at least 13 times.