LifeLock’s identity fraud insurance service experienced a security defect that put clients’ profiles in danger. The occasion forced its parent organization, Symantec, to pull its site down to settle the issue after it was informed by KrebsOnSecurity.
As per Krebs, Atlanta-based security specialist Nathan Reese found the vulnerability through a bulletin email he got from the administration. After clicking “unsubscribe,” a page that plainly demonstrated his subscriber key flew up. That enabled Reese to compose a content that sequences numbers, which could pull keys and their relating email addresses from the administration.
“If I were a bad guy, I would definitely target [the firm’s] customers with a phishing attack because I know two things about them. That they’re a LifeLock customer and that I have those customers’ email addresses. That’s a pretty sharp spear for my spear phishing right there. Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime.”
LifeLock’s site is by all accounts back now, yet it’s hazy if the vulnerability has just been fixed. One thing’s without a doubt, however: the administration has an unpleasant reputation with regards to keeping its clients’ sensitive data private.
In 2014, it needed to pull down its mobile applications in the wake of discovering that they might not have been consistent with payment card security principles. A year before Symantec bought the organization in 2016, the FTC likewise slapped it with a $100 million fine for not doing what’s needed to ensure personal data, including users’ social security, credit card and bank account numbers.
Image via identity theft protection