- The company behind Norton LifeLock has indicated that threat actors gained access to hundreds of thousands of customer accounts using credential stuffing.
- This breach differs from the LastPass breach in that the organization itself was not compromised, although a subset of accounts using the Norton Password Manager feature were accessed.
- Users should update their passwords and avoid password reuse for multiple accounts.
On the heels of news that the LastPass password manager service had been impacted by a breach in August 2022, the company behind Norton LifeLock has indicated that it was impacted by a security breach in December 2022.1 The parent company, Gen Digital, claims its own systems were not compromised but that threat actors utilized credential stuffing in order to gain access to its Norton Password Manager accounts.2 Credential stuffing is a tactic in which threat actors utilize already-compromised account credentials to attempt to gain access to other accounts. Because of the high prevalence of password reuse, threat actors have good success using this methodology; in the case of Norton LifeLock, they were successful on several fronts.
The notice from Gen Digital indicates that the data accessed by threat actors includes first names, last names, phone numbers, and mailing addresses. Norton LifeLock has a user base of around 500 million, and not all accounts were impacted; however, the company did indicate that it had to secure about one million accounts that had been targeted with credential stuffing attacks.3 This also indicates that the threat actors now know the usernames and passwords for any accounts successfully accessed, and thus any sensitive information stored on the password manager accounts could be at risk. Norton LifeLock has stated that it continues to monitor accounts for suspicious activity and has reset passwords on impacted accounts.4
- Update current master and stored passwords utilized on any password management service; while this will not change any impacts of affected breached vaults, it is a best practice for getting ahead of potential future attacks.
- Enforce best practices on passwords, such as complexity, uniqueness, forced expiration, and prohibiting password reuse.
- Do not share passwords, and do not reuse the same password on different websites and applications.
- Enable two-factor authentication for all organizational accounts to help mitigate phishing and credential-stuffing attacks.
- Remain vigilant against potential phishing attempts.
- If not already enabled, engage with ZeroFox for ongoing compromised credential monitoring. Immediate password changes should be implemented for any affected account.
- ZeroFox recommends remaining vigilant and denying multifactor authentication (MFA) requests not specifically triggered by logging in or requesting device enrollment. These requests are typically immediate and should not randomly appear throughout the day.
ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 10:00 AM (EST) on January 20, 2023; per cyber hygiene best practices, caution is advised when clicking on any third-party links.