LifeLock Data Leak Exposes Customer Emails

What happened?  

On July 25, a security flaw was confirmed on LifeLock’s website that unintentionally leaked millions of customer email addresses.The flaw potentially allowed Web users access to the corresponding email addresses.  

The website vulnerability, similar to the Panera data leak earlier this year, exposed unique LifeLock subscriber IDs (randomized numbers attributed to each customer). A security researcher named Nathan Reese was first to discover the flaw. He received an email to the account he had previously used for LifeLock, prompting him to renew his identity protection services.  

Reese also discovered that the flaw allowed users to unsubscribe customers from LifeLock communications. Upon clicking “unsubscribe,” he was taken to a page that showed his unique LifeLock subscriber ID in the Web address bar. 

 

Human Error or Malicious Attack?

The data leak was not a malicious attack, but a misconfiguration of LifeLock’s website. However, exposing unique LifeLock subscriber IDs potentially gives fraudsters more information about their victims, and therefore more ammunition for future cyberattacks.

Spear phishing, like traditional phishing, aims to impersonate a known person, business or other entity. The goal is to trick victims into divulging personal and financial information, login credentials and other sensitive data that could be used for fraud, identity theft or to make a profit on the Dark Web.

“If I were the bad guy, I would definitely target [LifeLock] customers with a phishing attack,” Reese said. “I know two things about them…that they’re a LifeLock customer and that I have those customers’ email addresses…Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime.”

 

What should I do?

LifeLock has reportedly fixed the flaw and has no reason to believe the exposed information was misused. Use the tips below to secure your personal data as it relates to this data security event:

If you are currently, or have ever been a member of LifeLock:

  • Be wary of email communications you receive from LifeLock. Fraudsters may target existing or previous LifeLock members in future cybersecurity attacks.
  • Update passwords for any accounts that use affected email addresses for login.
  • Consider enabling two-step authentication for affected email accounts to add an extra layer of protection.

Continue following Fighting Identity Crimes for more updates on this story, as well as ID protection news & tips from our industry experts.

Follow us on social!
Facebook | Twitter | LinkedIn | Google+

 

The views and opinions expressed in this article are those of EZShield Inc. alone and do not necessarily reflect the opinions of any other person or entity, including specifically any person or entity affiliated with the distribution or display of this content.

John Burcham, Chief Privacy Officer at EZShield Fraud Protection
John Burcham is Corporate Counsel for EZShield. He is a Certified Compliance and Ethics Professional...
Read more about John Burcham.

2 Comments

    • Hi Jdee,

      It can be startling to hear about any major data breach event, especially at big-name companies. However, security incidents like these only reaffirm the data breach trends we’ve been tracking over the past few years.

      From a consumer’s standpoint, data breaches are more than just exposed data. In fact, they can sometimes feel like the ultimate breach of trust. Despite this loss of trust, the glaring issue remains – you cannot control how any organization will handle your personal data.

      The truth is that no industry is immune to data breaches, and there is no quick fix for fraud. That’s why EZShield takes a preventative, educational-focused approach to combating fraud and identity theft.

      Fighting Identity Crimes powered by EZShield is here to keep our readers up-to-date on the latest fraud and identity theft trends, cybersecurity risks and scams, as well as other forms of identity crime. While it’s impossible to eliminate fraud completely, our goal is to arm you with the knowledge and resources needed to recognize, address and ultimately stop identity crime in its tracks.

      EZShield is an industry-leading identity protection services provider whose award-winning services are designed to secure your personal data in today’s connected world. Learn how EZShield’s security protocols continuously exceed industry standards by visiting EZShield.com

      Best,

      The EZShield Team

      Reply

Leave a Comment.