Security blogger, Brian Krebs, posted yesterday that identity theft protection firm LifeLock — a company that’s built a name for itself based on the promise of helping consumers protect their identities online — may have actually exposed customers to additional attacks from ID thieves and phishers. Security firm Symantec, which acquired LifeLock in November 2016, tookLifeLock.com offline shortly after being contacted by KrebsOnSecurity. According to LifeLock’s marketing literature as of January 2017, the company has more than 4.5 million customer accounts.
Neill Brookman, Head of EMEA Pre-sales at Janrain:
“It is ironic that a company promoting their services to consumers to protect against data breaches implements such a basic form of security to manage the user records, allowing a data breach. Using a sequential ID for each consumer record rather than a GUID (globally unique identifier) suggests they have poor development standards and no proper testing or quality control.
“The use of a sequential ID or email should never be used as an identifier in an application, as it is open to phishing attacks and very insecure. Consumers need to be educated and become more vigilant when signing up to services like LifeLock by checking the URLs presented as part of registration and management, and cancel the service immediately if it appears that a sequential number or their email address is used in the URL.”
Rich Campagna, CMO at Bitglass:
“LifeLock’s misconfiguration is yet another example of how an unknown vulnerability can pose a major threat to data security and brand reputation. Enterprises need to have visibility across their networks, cloud services, and devices in order to prevent and monitor for these kinds of risks. This data leak could have been avoided by using data-centric security tools that can ensure appropriate configurations, deny unauthorized accesses, and encrypt sensitive data at rest. Because LifeLock failed to utilize such a solution, millions of customers have had their data exposed, become more vulnerable to highly targeted spear phishing campaigns, and lost trust in a company dedicated to keeping their data safe.”
Mark Weiner, CMO at Balbix:
“The exposed email addresses of LifeLock customers unfortunately does make them easy targets for those engaged in spear-phishing. Not having broad visibility into the breach risk across an enterprise’s entire attack surface continues to be an issue for most organizations, and attackers are waiting for opportunities like this to strike. When an enterprise is not thinking proactively, misconfigurations such as this are easily missed. LifeLock may also suffer some brand reputation damage due to the bug as well.”