Thousands of Norton LifeLock customers had their accounts compromised in recent weeks, potentially allowing criminal hackers access to customer password managers, the company revealed in a recent data breach notice.
In a notice to customers, Norton LifeLock said that the likely culprit was a credential stuffing attack — where previously exposed or breached credentials are used to break into accounts on different sites and services that share the same passwords — rather than a compromise of its systems. It’s why two-factor authentication, which Norton LifeLock offers, is recommended, as it blocks attackers from accessing someone’s account with just their password.
The company said it found that the intruders had compromised accounts as far back as December 1, close to two weeks before its systems detected a “large volume” of failed logins to customer accounts on December 12.
“In accessing your account with your username and password, the unauthorized third party may have viewed your first name, last name, phone number, and mailing address,” the data breach notice said. The notice was sent to customers that it believes use its password manager feature, because the company cannot rule out that the intruders also accessed customers’ saved passwords.
Norton LifeLock provides identity protection and cybersecurity services. It’s the latest incident involving the theft of customer passwords of late. Earlier this year, password manager giant LastPass confirmed a data breach in which intruders compromised its cloud backup storage and stole millions of customers’ encrypted password vaults. In 2021, the company behind a popular enterprise password manager called Passwordstate was hacked to push a tainted software update to its customers, allowing the cybercriminals to steal customers’ passwords.
That said, password managers are still widely recommended by security professionals for generating and storing unique passwords, so long as the appropriate precautions and protections are put in place to limit the fallout in the event of a compromise.
Let’s talk about “Appropriate Precautions: a password should no longer be the end all, be all, of your security protection. Today’s standard includes Two-factor authentication (sometimes called “two-step verification”or “multi-factor verification”) that combines something you know, such as your username and password — with something you own, such as your phone or a physical security key, or even something you have — like your fingerprint or another biometric, as a way of confirming that a person is authorized to log in.
The best way to secure your accounts is with two-factor authentication.
Even if you want to secure all your accounts, you may find some sites and services don’t support two-factor. But as credential-stuffing attacks rise and data breaches have become a regular occurrence, many sites and services are doing everything they can to protect their users.
There are four main types of two-factor authentication.
1: A text message “code” sent to your cell phone via SMS: This is one of the most common 2fa solution available today. A set of numbers or letters are sent after you’ve attempted log in with your password and you’ll have to enter the code on the website before you gain access.
2: An authenticator app: Authy, Google Authentication, Microsoft Authenticator
3: Biometrics: Think face, fingerprint or eyeball scan.
4: A physical security key: The GOLD standard is a device named YubiKey but Google has their Titan Security Key as well as its advanced protection program for high-risk users.
If you’re ready to take the next step in upgrading your internet security, you should create a checklist of your most valuable accounts and begin switching on two-factor authentication. In most cases, it’s straightforward and easy to do. Take an hour or so to go through all your online accounts. It’s best to be pro-active rather than reactive like so many LastPass users are being forced to do right now.
You should see two-factor as an investment in security: a little of your time today, to save you from a whole world of trouble tomorrow.
Choose Security over Convenience in 2023.
Deliver David's Tech Talk to my inbox
We'll send David's weekly Tech Talk to your inbox - including the MP3 of the actual radio spot. You'll never miss a valuable tip again!