Sometimes, slight glitches can put millions of customers on the verge of hacking. This recently happened to LifeLock customers but fortunately, they haven’t faced any troubles (at least no such reports have been received yet). The LifeLock bug could potentially have leaked millions of customer’s email addresses online although the company disputes the amount of those affected and after receiving notification about the glitch, the firm fixed the bug.
LifeLock Bug Leaked Customers’ Email Addresses
A freelance security researcher contacted KrebsonSecurity to inform them about a bug in the website of LifeLock. According to the researcher Nathan Reese, the LifeLock bug could have leaked the email addresses of millions of its customers.
Reportedly, a glitch on the website of LifeLock could have allowed the hackers to harvest millions of email addresses of LifeLock customers through the website. Reese noted the flaw after receiving an email from LifeLock regarding renewal of membership. Since he wasn’t interested, he clicked on the unsubscribe link, after which he discovered the flaw.
“Clicking the “unsubscribe” link at the bottom of the email brought up a page showing his subscriber key. From there, Reese said, he wrote a proof-of-concept script that began sequencing numbers and pulling down email addresses. Reese said he stopped the script after it enumerated approximately 70 emails because he didn’t want to set off alarm bells at LifeLock.”
Commenting about his findings, Reese said,
“If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them. That they’re a LifeLock customer and that I have those customers’ email addresses.”
Ironically, LifeLock, a cybersecurity firm owned by Symantec, offers identity protection to the customers.
LifeLock Fixed The Bug
After LifeLock were notified about the bug they immediately took action, took the website down for maintenance and fixed the bug. After the original article was published Symantec released the following statement in response to the incident.
“This issue was not a vulnerability in the LifeLock member portal. The issue has been fixed and was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe from marketing emails. Based on our investigation, aside from the 70 email address accesses reported by the researcher, we have no indication at this time of any further suspicious activity on the marketing opt-out page.”
Glitches and vulnerabilities in websites that potentially expose customers’ information are not new. A few days ago, we reported a similar flaw in the website of Telefonica’s Movistar that exposed extensive details of the customers.
Let us know what you think in the comments.