More than 6,000 Norton LifeLock customers may have suffered credential stuffing attacks, compromising their personal data. The breach comes hot on the heels of the successful attack on another password manager service LastPass, which brings the security of such platform – designed to safeguard personal information – into question. Password managers offer widely varying levels of security, experts told Tech Monitor, and it is important customers research their chosen solution thoroughly.
Thousands of Norton Password Manager accounts breached
A statement from Gen Digital, Norton LifeLock’s parent company, said customers have experienced credential stuffing attacks in recent weeks. Incidents have been reported stretched as far back as December 1 last year.
The company’s systems “were not compromised,” according to a statement issued as part of a data breach notice. But, it said, “we strongly believe that an unauthorised third party knows and has utilised your username and password for your account. This username and password combination may potentially also be known to others.”
According to data compiled by Norton Lifelock, the firm detected “an unusually large volume” of of failed login attempts on December 12 indicating a possible credential stuffing attack. This is where log-in details stolen from one platform are deployed on another, in the hope that users have picked the same or similar passwords across multiple accounts.
Norton LifeLock sent breach notices to a total of 6,450 account holders. “In accessing your account with your username and password, the unauthorised third party may have viewed your first name, last name, phone number and mailing address,” the company said.
Customers who have been breached may have had data in their private vaults exposed. The worst impacted will be those who’s password manager master keys and Norton account passwords were similar. This makes it easy for criminals pivoting from one account to another, the company said. It has reset the passwords on impacted accounts to prevent customers from being illegally accessed again.
Are password managers safe to use?
News of the Norton LifeLock breach comes weeks after a class action law suit was launched against LastPass for failing to disclose the extent of a cyberattack. The password management service suffered a data breach in its master code in August 2022 but didn’t reveal the extent of the incident until December, when it confirmed data from up to 25 million customers had been compromised.
With many workers, particularly those who are part of remote teams, using their own devices for work purposes, the question of which, if any, password managers are safe to use is one which tech leaders must grapple with. But while the prospect of a company like LastPass or Norton LifeLock having to withstand a constant barrage of cyberattacks may not be a comforting one, experts say the systems remain beneficial, not least because many people have a lapse approach to password security.
A Google password survey revealed that over half of the respondents had given their password to someone else, while 22% of the respondents had shared their password for a streaming site, 17% for a social media platform and 17% for an online shopping account. Meanwhile a report into password safety by security company Bitwarden shows that 34% of respondents in the UK use a password manager, doing so because they “kept forgetting their passwords.”
Successful cyber attacks on password management companies must therefore be taken in their wider context, argues Darren Guccione, CEO and co-founder of security company Keeper Security:
“Customers who have relied on their security provider to protect their most sensitive accounts and information are understandably shaken,” Guccione says. “However, this isolated incident with a particular service provider should not prevent individuals or companies from using a secure password manager.
“It is essential that the public understand over 80% of data breaches are due to weak or stolen passwords, credentials and secrets. The question is not whether password managers should be used at all, but which particular managers should users entrust their data to.”
What does a successful password management company look like?
When choosing a password manager, Guccione says “not all cybersecurity software is created equal.”
“The most important consideration should be to evaluate the strength of the password manager, including how they store, manage, protect and transact on your information,” he says. “A password manager is a vital tool to protect your online accounts and sensitive information, however, that tool must meet the highest standards of security. Users can no longer assume every password manager on the market will provide the same level of protection.”
Indeed, browser-based password managers can be problematic says Chris Hauk, consumer privacy advocate at Pixel Privacy. “While any password manager is subject to data breaches or hacks, I am particularly wary of browser-based password managers, such as the one built into Google Chrome,” Hauk says. “This is because these managers may lack two-factor authentication and strong encryption.”
His advice is to “find a password manager that stores your information in a secure and encrypted format” that is unlockable “only by using a local password which is unknown to the password manager’s developer.”