LifeLock, an identity protection service offered by Symantec, was recently “unlocked.”
A website bug exposed millions of email addresses belonging to customers. Anyone on a web browser could change a number in the URL used to unsubscribe from LifeLock’s emails, and it would enable them to collect the email addresses.
Exclusive: LifeLock just took its site offline to fix a bug that exposed millions of customer email addresses, data that could be very useful to scammers interested in conducting mass phishing expeditions. https://t.co/KaZerLUUERpic.twitter.com/QAgyiv3pAm
“Of course, phishers could spam the entire world looking for LifeLock customers without the aid of this flaw, but nevertheless the design of the company’s site suggests that whoever put it together lacked a basic understanding of website authentication and security,” wrote Krebs.