On July 25, a security flaw was confirmed on LifeLock’s website that unintentionally leaked millions of customer email addresses.The flaw potentially allowed Web users access to the corresponding email addresses.
The website vulnerability, similar to the Panera data leak earlier this year, exposed unique LifeLock subscriber IDs (randomized numbers attributed to each customer). A security researcher named Nathan Reese was first to discover the flaw. He received an email to the account he had previously used for LifeLock, prompting him to renew his identity protection services.
Reese also discovered that the flaw allowed users to unsubscribe customers from LifeLock communications. Upon clicking “unsubscribe,” he was taken to a page that showed his unique LifeLock subscriber ID in the Web address bar.
Human Error or Malicious Attack?
The data leak was not a malicious attack, but a misconfiguration of LifeLock’s website. However, exposing unique LifeLock subscriber IDs potentially gives fraudsters more information about their victims, and therefore more ammunition for future cyberattacks.
Spear phishing, like traditional phishing, aims to impersonate a known person, business or other entity. The goal is to trick victims into divulging personal and financial information, login credentials and other sensitive data that could be used for fraud, identity theft or to make a profit on the Dark Web.
“If I were the bad guy, I would definitely target [LifeLock] customers with a phishing attack,” Reese said. “I know two things about them…that they’re a LifeLock customer and that I have those customers’ email addresses…Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime.”
What should I do?
LifeLock has reportedly fixed the flaw and has no reason to believe the exposed information was misused. Use the tips below to secure your personal data as it relates to this data security event:
If you are currently, or have ever been a member of LifeLock:
- Be wary of email communications you receive from LifeLock. Fraudsters may target existing or previous LifeLock members in future cybersecurity attacks.
- Update passwords for any accounts that use affected email addresses for login.
- Consider enabling two-step authentication for affected email accounts to add an extra layer of protection.
Continue following Fighting Identity Crimes for more updates on this story, as well as ID protection news & tips from our industry experts.
Follow us on social!
The views and opinions expressed in this article are those of EZShield Inc. alone and do not necessarily reflect the opinions of any other person or entity, including specifically any person or entity affiliated with the distribution or display of this content.