Identity Theft Protection Company LifeLock Exposes Data of 4.5 Million Users
- LifeLock released a report stating that a vulnerability in the core API of its website could have leaked user information of millions of users who signed up for identity theft prevention services.
- Email information, subscriber keys, and other personal information were publicly accessible due to a web index vulnerability on the company’s website.
- The data leak was discovered by security researcher Nathan Reese, a freelance security researcher based in the US.
With GDPR policies in place, the number of data leaks and breaches that are being revealed publicly have shot up over the past two months. The latest victim of a data leak is Symantec-owned ID theft protection firm LifeLock. The company boasts of over 4.5 million accounts according to the website literature. According to an Atlanta-based security researcher, Nathan Reese alerted KrebsOnSecurity about the vulnerability, and Symantec patched the exploit soon after.
According to Reese, the website developers lacked a basic understanding of security putting millions of users at risk. Anyone with a web browser could index all the email addresses of users along with other personal information and the subscriber numbers. It is unknown if ID thieves and phishers have already taken advantage of LifeLock’s website vulnerability.
Image Courtesy of KrebsOnSecurity
Reese’s email to KrebsOnSecurity stated “If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them. That they’re a LifeLock customer and that I have those customers’ email addresses. That’s a pretty sharp spear for my spear phishing right there. Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime.”
Before the website was patched, anyone could click the unsubscribe button at the bottom of a marketing email sent by LifeLock. It would make the subscriber key visible, and sequencing the subscriber numbers would allow customer email addresses to be found. Reese managed to pull the data of 70 users using the method. The website misconfiguration may have already cost the company some goodwill, and users are not too happy with the situation.
What do you think about the vulnerability found in Lifelock’s website? Let us know in the comments below. Get instant updates on TechNadu’s Facebook page, or Twitter handle.