A credential stuffing attack is the likely culprit behind the recent breach of Norton LifeLock that impacted thousands of Norton Password Manager customers.
Gen Digital, the parent company of Norton LifeLock, notified customers, including nearly 6,500 Norton Password Manager customers, that private information including full names, addresses and phone numbers may have been exposed to an unauthorized third party as part of the breach.
According to their official statement to the Office of the Vermont Attorney General, Norton LifeLock believes the attack resulted from a third-party attack rather than a direct breach of their systems.
“Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account… this username and password combination may potentially also be known to others,” Norton LifeLock said.
Norton also warns Norton Password Manager customers that the attack may have also exposed details stored in the platform’s private vault feature – meaning whatever sensitive information users stored there may have been breached.
“…we cannot rule out that the unauthorized third party also obtained details stored [in the Norton Password Manager], especially if your Password Manager key is identical or very similar to your Norton account password.”
Impacted accounts have had their passwords automatically reset and should have received a notification by now regarding the breach, along with a credit monitoring offer and information on next steps.
Based on an internal investigation sparked by a large volume of failed login attempts in mid-December, Norton LifeLock believes that a third-party used a cyberattack method called credential stuffing to breach their systems.
How Does Credential Stuffing Work?
Credential stuffing is a commonly used cyberattack that relies on people reusing usernames and passwords on several accounts.
The typical credential stuffing attack starts with threat actors obtaining a list of usernames and passwords from previous data breaches through the dark web or hacker forums.
After obtaining the list, the threat actor uses bots to automate large scale attacks against other websites in hopes of accessing other accounts protected by the same username and password.
Credential stuffing may sound similar to brute force attacks but are quite different, since brute force attacks try to guess credentials from scratch. Without a starting point, such attacks have a much lower success rate.
How Can Organizations Protect Against Credential Stuffing Attacks?
There are several ways to avoid being a victim of credential stuffing attacks or, at the very least, minimize the impact if you are part of a breach like the one impacting Norton LifeLock.
Enable Multi-factor Authentication (MFA)
MFA provides an additional layer of security by requiring a secondary action to access an account. These actions can include confirming a code via text, a phone call, biometrics or apps such as DUO. By enabling MFA, users can still protect themselves even if their username and passwords are in the wild.
Pay Attention to Breach Notifications
If you receive a legitimate notification (breach notifications are a popular phishing email theme) that an account is part of a breach, be sure to actually read the communication to understand what information was breached, the timeline and available options which, in many cases, include credit report monitoring services.
Most importantly, act fast to change other accounts that use the same credentials as the breached account.
Use Different Usernames and Passwords
The first step is simply using different usernames and passwords for online accounts. With the plethora of online accounts people have, this may sound daunting, but is an important step in protecting your private information.
While you may shrug off the idea of somebody having your Netflix username and password, you won’t be so calm if the same information can be used to access your banking or retirement accounts… or your password manager.
Utilize a Password Manager
Yes, there is irony in suggesting a password manager in an article based on the Norton Password Manager breach. Despite the breach, password managers still offer many advantages including the ability to protect your accounts with several complex passwords without the need to remember each individual one.
Just make sure your master password differs from other accounts – in this instance, the Norton customers at greatest risk were ones who used the same password for their LifeLock and Password Manager.
If you have any questions about how to strengthen your password policies, or if you’re concerned your organization’s credentials aren’t the most secure, feel free to contact our team.
Related Resources
- Article: The Top Ten Most Common Passwords of 2022
- Article: Security alert: Use these most popular passwords at your peril
- Video: How can organizations protect themselves from attacks that bypass MFA?
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of expert practitioners offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.
To learn more, visit our dedicated Cybersecurity page or contact the team at [email protected].
Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity.