Identity theft protection firm LifeLock recently fixed a vulnerability on its site that exposed their customer’s email addresses to anyone with a basic understanding of how to use a web browser.
Lifelock, more like LifeUnlock, am I right…
Sorry about that…
Bad Pun aside, here’s what happened on LifeLock’s website
The email addresses of LifeLock customers was exposed as a result of some poor website design which, as KrebsonSecurity notes (the security researcher who broke the story), is a common flaw for website designers with a minimal understanding website security.
It’s not exactly comforting that a company that prides itself on security and LOCKING YOUR IDENTITY doesn’t understand something as important as website security.
Now let’s be fair here, exposing email addresses isn’t exactly the end of the world.
Email addresses are everywhere so by just having your email address leaked, you are not inherently exposed to your identity being stole but what it does mean is that cybercriminals now have the email addresses of LifeLock customers and can use that to send finely tuned spear phishing emails aimed at gathering the login and personal info of Lifelock customers for the real attack.
So, how Exactly were the LifeLock emails exposed
LifeLock’s Website ties every customer to a numeric “subscriberkey” which is a fancy way of saying that each user has a corresponding number on their website’s backend.
The now fixed flaw on their website was that it let anyone with a browser simply type in a URL and add a random number to the subscriberkey value and they would be presented with that customer’s email address.
A clever person could then simply run script to keep counting up and therefore gain access to to every email address of every LifeLock subscriber.
BTW, it is estimated that LifeLock has 3-5 million customer accounts.
So what now for LifeLock and it’s customers
LifeLock fixed the flaw in July but the email addresses are already out in the web-o-sphere, so if you are a LifeLock customer just be aware that phishing emails are likely coming your way so make sure that any email you receive from LifeLock is legit and that you are careful with any communications from people claiming to be from LifeLock.
Click here to watch a short video showing you how to check if an email is legit.