Thousands of Norton LifeLock customer accounts have been compromised in recent weeks, potentially giving criminals access to hackers who manage customer passwords, the company disclosed in a recent breach notification.
In a notice to customers, Norton LifeLock’s parent company, Gen Digital, said the likely culprit was a credential stuffing attack, where previously disclosed or compromised credentials are used to break into accounts with the same passwords on different websites and services, instead of this compromise of systems. That’s why two-factor authentication offered by Norton LifeLock is recommended because it prevents attackers from accessing someone’s account with just their password.
The company said it discovered the intruders had entered the account as early as Dec. 1, nearly two weeks before its systems detected a “large number” of failed logins to customer accounts on Dec. 12.
“Your first name, last name, phone number, and mailing address could be seen by an unauthorized third party accessing your account using your username and password,” the security breach notification says. The notification was sent to customers who are believed to be using the company’s password management system, as the company cannot rule out the possibility that the intruders also accessed customers’ saved passwords.
Gen Digital said it sent notifications to about 6450 customers’ accounts were compromised.
Norton LifeLock provides identity theft protection as well as cyber security services. This is the latest incident involving the theft of customer passwords. Earlier this year, password management giant LastPass confirmed a breach in which intruders compromised its cloud storage and stole the encrypted password stores of millions of customers.
In 2021, the company behind the popular password management company Password State was hacked with a dirty software update for its customers that allows cybercriminals to steal customers’ passwords.
However, security professionals widely recommend that password management software be used to generate and store unique passwords when appropriate precautions and safeguards are in place to limit risk.