Thousands of Norton LifeLock customers’ accounts have been compromised in recent weeks, potentially allowing criminal hackers access to customer password managers, the company revealed in a recent data breach notice.
In a note to customers, Gen Digital, Norton LifeLock’s parent company, said the likely culprit was a credential stuffing attack — which uses previously disclosed or compromised credentials to break into accounts on different websites and services that use the same passwords — rather than compromising its systems. This is why the two-factor authentication that Norton LifeLock offers is recommended, as it prevents attackers from accessing someone else’s account with just their password.
The company said it found the intruders had compromised accounts as early as December 1, nearly two weeks before its systems detected a “large number” of failed customer account logins on December 12.
“While accessing your account using your username and password, the unauthorized third party may have viewed your first name, last name, phone number and mailing address,” the data breach reads. The notice was sent to customers who it believes are using the password manager feature, as the company cannot rule out that the intruders also accessed customers’ stored passwords.
Gen Digital said it sent notifications to about 6,450 customers whose accounts were compromised.
Norton LifeLock provides identity protection and cybersecurity services. It is the latest incident related to customer password theft in recent times. Earlier this year, password manager giant LastPass confirmed a data breach in which intruders compromised its cloud storage and stole millions of customers’ encrypted password vaults. In 2021, the company behind a popular enterprise password manager called Passwordstate was hacked to push its customers with a rogue software update that allowed the cybercriminals to steal customers’ passwords.
Despite this, password managers are still widely recommended by security professionals for generating and storing unique passwords, as long as the appropriate precautions and safeguards are in place to limit the impact in the event of a compromise.