LifeLock Exposed Email Addresses
Yesterday, security blogger Brian Krebs broke the news that the identity theft protection firm LifeLock exposed email addresses of customers through a website bug. The flaw on their website could let anyone with a browser look up email addresses. Although Symantec has since patched it, the issue raised concerns for LifeLock customers.
How did LifeLock leave this exposed?
How LifeLock exposed email addresses comes down to poor security practices. Security researcher Nathan Reese found the issue when he went to unsubscribe from their email list. When he did, he found that the URL displayed his subscriber key, and that he could type in other subscriber keys to see other email addresses as well.
Because LifeLock made these subscriber keys essentially sequential, he was able to write a simple script to find more. Armed with this, he was able to quickly find 70 other customer email addresses before he stopped to notify LifeLock.
How long has LifeLock exposed email addresses online?
While we are not sure how long the data has been available, chances are it’s been a while. Web developers do not often change these interfaces unless they are making other changes to the website. So this issue has likely been on their website since their last major overhaul, which could have been months or even years ago.
How many LifeLock customers does this affect?
Although this may affect all LifeLock customers, there is some good news. Fortunately Symantec, the current owner of LifeLock, fixed the issue quickly. They also said they have no evidence of anyone accessing the data aside from Reese’s testing, so hopefully no criminals stole the data.
Unfortunately it may be hard to know for sure. The issue was with a 3rd party marketing portal, and it is unclear what security practices and logging they had in place. But this shows the need to verify your business partners’ security measures as they are a frequent source of breaches.
What should I do now?
While there is nothing you can do about this exposure, there’s always lessons to be learned. If nothing else, be sure to keep this in mind when you choose business partners. Ask about their cyber security practices and check on them when possible.
If you need help checking on the security of 3rd party services, Astria has solutions to help you. Our vulnerability assessments our just one example of how we can verify your security levels. You don’t have to be the next LifeLock exposed email leak— Contact us today to find out how we can keep you secure!