LifeLock Unlocked by Security Flaw

Joe Engelking

Ready to Solve Your IT Problems and/or Protect Your Systems?

 

Identity theft protection firm LifeLock recently fixed a vulnerability on its site that exposed their customer’s email addresses to anyone with a basic understanding of how to use a web browser.

Lifelock, more like LifeUnlock, am I right…

Sorry about that…

Bad Pun aside, here’s what happened on LifeLock’s website

 

Todd David, Found of LifeLock
Todd David, Found of LifeLock

The email addresses of LifeLock customers was exposed as a result of some poor website design which, as KrebsonSecurity notes (the security researcher who broke the story), is a common flaw for website designers with a minimal understanding website security.

It’s not exactly comforting that a company that prides itself on security and LOCKING YOUR IDENTITY doesn’t understand something as important as website security.

Now let’s be fair here, exposing email addresses isn’t exactly the end of the world.

Email addresses are everywhere so by just having your email address leaked, you are not inherently exposed to your identity being stole but what it does mean is that cybercriminals now have the email addresses of LifeLock customers and can use that to send finely tuned spear phishing emails aimed at gathering the login and personal info of Lifelock customers for the real attack.

 

So, how Exactly were the LifeLock emails exposed

 

Lifelock website flaw

LifeLock’s Website ties every customer to a numeric “subscriberkey” which is a fancy way of saying that each user has a corresponding number on their website’s backend.

The now fixed flaw on their website was that it let anyone with a browser simply type in a URL and add a random number to the subscriberkey value and they would be presented with that customer’s email address.

A clever person could then simply run script to keep counting up and therefore gain access to to every email address of every LifeLock subscriber.

BTW, it is estimated that LifeLock has 3-5 million customer accounts.

 

So what now for LifeLock and it’s customers

 

LifeLock fixed the flaw in July but the email addresses are already out in the web-o-sphere, so if you are a LifeLock customer just be aware that phishing emails are likely coming your way so make sure that any email you receive from LifeLock is legit and that you are careful with any communications from people claiming to be from LifeLock.

 

Click here to watch a short video showing you how to check if an email is legit.

 

 

Leave a Comment

AWARD-WINNING CYBERSECURITY AND I.T. SERVICES

TOP 10% OF ALL REVIEWED I.T. PROVIDERS
UPCITY TOP REVIEWED I.T. PROVIDER
EXPERTISE CURATED TOP PICK
DESIGNRUSH TOP CHICAGO I.T. PROVIDER
RANKED TOP 5 ON GOODFIRM’S TOP CYBERSECURITY PROVIDERS LIST
National IT & Cybersecurity Coverage
Managed IT Services
System Audits/Assessments
Design & Installation
Software Implementation
Custom Software Development
Remote Monitoring
24/7 On-Call Support
Cybersecurity
ISO Consulting
SOC Consulting
HIPAA Consulting
Systems Monitoring
Policy Development
Fraud Prevention
Data Protection
Tools
Download
Contact
Headquarters
Chicago, Illinois
847-496-5196
Schedule a Free Consultation