Thousands of Norton LifeLock customers had their accounts breached, potentially giving criminal hackers access to password managers. The company revealed the data breach in a notice.
Gen Digital, Norton LifeLock’s parent company, notified customers that a credential stuffing attack (the use of breached passwords to access multiple sites/services) was likely responsible for the breach. They recommend two-factor authentication to protect against such attacks as it blocks attackers from gaining access with just a password.
The company discovered that intruders had breached accounts since December 1, almost two weeks prior to its systems recognizing a “significant amount” of failed logins on December 12.
The data breach notice warned customers that, by accessing their account with their username and password, an unauthorized third party may have viewed personal info such as first name, last name, phone number and mailing address. The company cannot rule out the possibility that the intruders also accessed saved passwords in its password manager feature.
Gen Digital notified 6,450 customers whose accounts had been compromised.
Norton LifeLock offers identity protection and cybersecurity services in the wake of increasing incidents of password theft. This year alone, LastPass confirmed a breach resulting in the compromise of millions of customers’ encrypted vaults, while Passwordstate was hacked to push a tainted update that put its customers’ passwords at risk.
Security pros recommend using password managers to create and store unique passwords, but take precautions in case of a breach.