https://krebsonsecurity.com/20...mer-email-addresses/

LifeLock Bug Exposed Millions of Customer Email Addresses

Identity theft protection firm LifeLock — a company that’s built a name for itself based on the promise of helping consumers protect their identities online — may have actually exposed customers to additional attacks from ID thieves and phishers. The company just fixed a vulnerability on its site that allowed anyone with a Web browser to index email addresses associated with millions of customer accounts, or to unsubscribe users from all communications from the company.

The upshot of this weakness is that cyber criminals could harvest the data and use it in targeted phishing campaigns that spoof LifeLock’s brand. Of course, phishers could spam the entire world looking for LifeLock customers without the aid of this flaw, but nevertheless the design of the company’s site suggests that whoever put it together lacked a basic understanding of Web site authentication and security.



Pictured above is a redacted screen shot of one such record (click the image to enlarge). Notice how the format of the link in the browser address bar ends with the text “subscriberkey=” followed by a number. Each number corresponds to a customer record, and the records appear to be sequential. Translation: It would be trivial to write a simple script that pulls down the email address of every LifeLock subscriber.

Security firm Symantec, which acquired LifeLock in November 2016 for $2.3 billion, took LifeLock.com offline shortly after being contacted by KrebsOnSecurity. According to LifeLock’s marketing literature as of January 2017, the company has more than 4.5 million customer accounts.

KrebsOnSecurity was alerted to the glaring flaw by Nathan Reese, a 42-year-old freelance security researcher based in Atlanta who is also a former LifeLock subscriber. Reese said he discovered the data leak after receiving an email to the address he had previously used at LifeLock, and that the message offered him a discount for renewing his membership.

Clicking the “unsubscribe” link at the bottom of the email brought up a page showing his subscriber key. From there, Reese said, he wrote a proof-of-concept script that began sequencing numbers and pulling down email addresses. Reese said he stopped the script after it enumerated approximately 70 emails because he didn’t want to set off alarm bells at LifeLock.

“If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them,” Reese said. “That they’re a LifeLock customer and that I have those customers’ email addresses. That’s a pretty sharp spear for my spear phishing right there. Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime.”

Misconfigurations like the one described above are some of the most common ways that companies leak customer data, but they’re also among the most preventable. Earlier this year, KrebsOnSecurity broke a story about a similar flaw at Panerabread.com, which exposed tens of millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card.

I never really trusted them. Something about the background of their founder bothered me.

d-oh...

thats gonna leave a scar...

Their ads featured the ceo's social security number. They had to stop because he kept getting his identity stolen.

quote:

suggests that whoever put it together lacked a basic understanding of Web site authentication and security

This pretty much describes every website in existence at some level.

A couple of years ago the database for the clearinghouse for security clearances got hacked...which is to say that the personal data for tens of millions of personnel who hold or have held security clearances...was taken. That data is far, far more comprehensive than any other database, and extends far beyond our own lives.

That database has quite literally every detail about the individual, as well as his or her family, friends, neighbors, former landlords, you name it. Not only was my information taken, but numerous other people that I know directly or peripherally were contacted to say the breach had occurred, and offered a year of monitoring. Ironically, while my data was taken, it seems I was the only one on my list NOT contacted with the warning.

Why would anyone waste money on that crap?
Just do a credit freeze.
Costs little to nothing and works.

Gee, what a shock. But, I'm certain that the financial institutions that place personal information on "the cloud" have no flaws whatsoever in their system software.

This message has been edited. Last edited by: MG34_Dan,

If you're a computer systems person, it's no surprise that LOTS of systems have LOTS of security flaws. One reason for this, besides unqualified or overworked IT staff, is that many systems are enterprise class canned systems that companies purchase to run parts of their organization. Because these purchased systems are very large, it means they've been in existence for a long time, and are running code that is out of date as far as security goes, because when the systems were originally written, security was not a big issue. And because they are canned systems, you can't really plug the security holes because 1) you'd break the application, and 2) you'd void the software support warranty. Another problem is newer systems may be built the old fashioned way, by hand stick by stick, so to speak, so you're going to have tons of security holes that you don't even know you're creating. But I think overall it's the same old problem - hire unqualified people, get bad results. Not giving your IT people the tools they need to secure your own systems, get bad results. The list goes on and on. Computer systems security is very broad and deep, which is a remarkable development when you consider that just a few decades ago, external systems security wasn't even a thing so to speak.

My information has been hacked in all of the leaks we've learned about over the years, and I've never exercised any of the free offers to sign up with a monitoring agency. The reason is the exact situation that this thread is about; if my bank and the US Pentagon can't secure my data, why would I give that information to yet another TARGET RICH system, aka, anti-identity theft company databases. That's just insane.

Lifelock now uses Norton Internet Security.

quote:

Originally posted by 220-9er:
Why would anyone waste money on that crap?
Just do a credit freeze.
Costs little to nothing and works.

+1

This is my approach. Any reason it could fail?

quote:

Originally posted by MG34_Dan:
Gee, what a shock. But, I'm certain that the financial institutions that place personal information on "the cloud" have much no flaws whatsoever in their system software.

That's right. This new Cloud Architecture will be the next, and largest of all, target rich environments to date for cyber criminals. It is being pushed HARD to IT organizations, and it's a matter of time before the news headline reads that a large and sophisticated cybercrime organization hacks into large cloud systems, compromising not just one company's data, but potentially lots or all of the companies renting space and service in any one cloud provider. One undiscovered break in could destroy a cloud provider in addition to compromising all the companies, banks, and military databases and systems running on it. Eventually the cloud will overtake existing architectures, but I'm not on board as far as computer security goes. It's hard enough to secure your own system, let alone everyone else's data systems in a large distributed cloud system. Efficient cost-effective scaling, yes, security, not so much when up against serious hacking organizations - nation states, cyber crime syndicates, etc. Good luck with that.

quote:

Originally posted by 12131:
Lifelock now uses Norton Internet Security.

Excellent.

One day, you're gonna wake up to the headline "Every account of any kind on the planet hacked"

Everyone, everywhere, will have all your data.

quote:

Identity theft protection company LifeLock exposed the email addresses of up to 55 million users through a flaw on its website

The company I work for installs a security patch to my laptop every week. Every week for as long as I can remember. It’s a never ending game I guess.

As for e-mail addresses, I bet anyone and everyone has them already.

quote:

Originally posted by parabellum:
One day, you're gonna wake up to the headline "Every account of any kind on the planet hacked"

Everyone, everywhere, will have all your data.

Already the case. Most are simply in the dark enough to not know it.

Privacy is an illusion.

quote:

Originally posted by radioman:
I never really trusted them. Something about the background of their founder bothered me.

Your link is a massive click-bait site.

quote:

Originally posted by sns3guppy:

quote:

Originally posted by parabellum:
One day, you're gonna wake up to the headline "Every account of any kind on the planet hacked"

Everyone, everywhere, will have all your data.

Already the case. Most are simply in the dark enough to not know it.

Privacy is an illusion.

Oh, how dramatic

quote:

Originally posted by chongosuerte:

quote:

Originally posted by 220-9er:
Why would anyone waste money on that crap?
Just do a credit freeze.
Costs little to nothing and works.

+1

This is my approach. Any reason it could fail?

It costs nothing per the article in radioman's post above (a good, but long, read). The article points out though:

quote:

Customers pay LifeLock $10 a month to call a credit bureau every three months and put a fraud alert on an account. By law, if one bureau is notified, it must alert the other two.

So in essence, you're paying them $120/yr to do something four times ($30 per effort) which you could do on your own - if you are disciplined enough to remember.