Another Password Manager Breach: NortonLifeLock Apes LastPass

NortonLifeLock is warning customers their passwords are loose. First LastPass, now this?

What use is a password manager that leaks your password? Seems that, like LastPass, NortonLifeLock did a lousy job of remediating weak master passwords. Plus it took 12 days to detect the breach and another 32 days to tell anyone.

These things come in threes. In today’s SB Blogwatch, we wonder who’s next.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Shakira/Bizarrap vs. Gaga.

Monkey123 See — Monkey123 Do

What’s the craic? Bill Toulas reports—“NortonLifeLock warns that hackers breached Password Manager accounts”:

Could lead to the compromise of other online accounts
Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts. … For customers utilizing the Norton Password Manager feature, the notice warns that the attackers might have obtained details stored in the private vaults.

This could lead to the compromise of other online accounts, loss of digital assets, exposure of secrets, and more. NortonLifeLock underlines that the risk is especially large for those who use similar Norton account passwords and Password Manager master keys, allowing the attackers to pivot more easily.

What’s the scale of the problem? Zack Whittaker knows—“thousands of customer accounts breached”:

It’s the latest incident
Gen Digital said it sent notices to about 6,450 customers whose accounts were compromised. [It] said that the likely culprit was a credential stuffing attack … rather than a compromise of its systems.

It’s the latest incident involving the theft of customer passwords of late. Earlier this year, password manager giant LastPass confirmed a data breach in which intruders compromised its cloud storage and stole millions of customers’ encrypted password vaults. In 2021, the company behind a popular enterprise password manager called Passwordstate was hacked … allowing the cybercriminals to steal customers’ passwords.

Yikes. Tara Seals the deal—“accounts may have, ironically, been compromised via simple credential stuffing”:

Unlock a veritable treasure trove of data
Gen Digital … is sending data-breach notifications to customers, noting that it picked up on the activity on Dec. 12, when its IDS systems flagged “an unusually high number of failed logins.” … It added, “We cannot rule out that the unauthorized third party also obtained details … especially if your Password Manager key is identical or very similar to your Norton account password.” Those “details,” of course, are the strong passwords generated for any online services the victim uses, including corporate logins, online banking, tax filing, messaging apps, e-commerce sites, and more.

Attackers lately have focused on identity and access management systems as a target, given that one compromise can unlock a veritable treasure trove of data across high-value accounts … not to mention a bevy of enterprise pivot points for moving deeper into networks. … LastPass, for instance, was targeted in August 2022 via an impersonation attack [and] last month, the company suffered a follow-on attack on a cloud storage bucket.

“Credential stuffing”? ELI5? djha-skin explains like you’re five:

Accounts were breached by using credential stuffing which means using a password that was in some password breach and seeing if the users had reused their password. LifeLock wasn’t hacked at all. … Some users were compromised but this was due to password reuse.

Clear as mud. Try harder? u/djasonpenney gives it another shop:

One of the major attack strategies of the last few years. Suppose you have created an account on a website like www.weselljunk.com. and let’s suppose that website does not follow best infosec practices, so they suffer a security breach, and all their email addresses and associated passwords are stolen.

What happens in a credential stuffing attack is bad actors use your username plus password … everywhere. They try it on everything from Amazon to Umpqua Bank. If you reused that same password … on another website, they may find it.

Never reuse a password. Don’t make any passwords up yourself, and don’t let them be at all similar. Yeah, at this point you pretty much have to use a password manager to keep them straight. To reuse a password used as a master password is an entirely greater level of stupidity. If you have a password manager, why the hell would you use your master password anywhere else?

In summary? I feel good about FeelGood314’s neat précis:

I suspect this is a case of password reuse. Someone got a large number of usernames and passwords and then decided to try these against NortonLifeLock. … Gen Digital noticed an unusually high number of unsuccessful login attempts to NortonLifeLock and have notified their users.

But it didn’t notice until much, much too late. acdha has a long-enough memory:

LifeLock was always a scam, not a security company, and they had a history of security problems. Norton acquired them but as a subsidiary I’d expect less culture change, especially given Norton’s own history here.

Who’d put their passwords in the cloud? groobly wouldn’t:

Willie Sutton had it right: “I rob banks because that is where the money is.” What is more enticing to a hacker, a place with millions of passwords, or a place with only a few?

Keeping your passwords on your own machine is safer because you are not of great interest to hackers who are looking for passwords. It also helps if you don’t call the file passwords.txt.

Meanwhile, u/Wildweed feels vindicated:

“Use a password manager,” they said.
I said, “Does not sound safe, **** that.”
I win.

And Finally:

Dance in the Diss

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: moneyphotos (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 595 posts and counting.See all posts by richi