NortonLifeLock warns of password manager breach after failing to reject mass login attempts

Alfonso Maruccia

Posts: 193   +92
A hot potato: Gen Digital, the security business formerly known as Symantec and NortonLifeLock, is sending security alarms to customers of the Norton Password Manager service. According to the company, an unauthorized third-party has possibly accessed Norton accounts, which has not come from a breach in their systems but a credential stuffing attack.

Credential stuffing is a type of attack where a malicious actor collects huge troves of stolen credentials, usually comprising usernames, emails and/or passwords from previous data breaches from other services. The hackers use these stolen credentials to try and gain unauthorized access to user accounts on other platforms -- assuming the user has reused the same passwords -- by executing large-scale automated login attempts against a web or remote application.

Using two-factor authentication usually helps in preventing this type of attack, which NortonLifeLock offers, as it would prevent hackers from accessing an account with just a password.

NortonLifeLock completed an internal investigation around December 22, 2022, discovering an "unusually large volume" of failed login attempts to customer accounts on December 12, 2022. The investigation determined that, beginning around December 1, 2022, a malicious actor was using a list of usernames and passwords obtained from other sources such as illegal marketplaces on the "dark web."

A security breach note was sent to Norton clients that indicating that they "strongly believe that an unauthorized third party knows and has utilized your username and password for your account." The Arizona-based corporation states that 925,000 "inactive and active" Norton accounts could have been targeted by credential-stuffing attacks.

Upon a successful login attempt, NortonLifeLock warns, cyber-criminals may have viewed "your first name, last name, phone number, and mailing address." For customers using the Norton Password Manager, Norton says it cannot rule out the potential breach of additional details and data stored there -- "especially if your Password Manager key is identical or very similar to your Norton account password," the company warns.

To protect users and to avoid further credential stuffing attacks, NortonLifeLock has reset the affected Norton accounts and has taken "numerous measures" to counter hackers' efforts. The company is strongly encouraging users to activate two-factor authentication, and it's offering a free credit monitoring service (Equifax, Experian or TransUnion) to affected users.

Norton also recommends all users to urgently change their passwords for all accounts they had stored on the password manager. Password hygiene is paramount, NortonLifeLock says, therefore users should change passwords on a regular basis, avoid using the same password more than once, and only use unique and complex passwords.

Permalink to story.



Posts: 1,399   +1,039
My main take away - their monitoring software should have been better
Use 2FA
Do not reuse passwords

I would imagine these attacks would change IP address for each account.
But I was under the impression sysadmins have real time info - TBF daily attacks are as common as dust - yet this should have been picked up


Posts: 4,571   +6,877
Norton's highest-tier subscription includes monitoring of info selling sites but NOT removal of your data. This should be a basic service nowadays.


Posts: 180   +150
^^this! That’s why I also never used Lastpass or whatever it is called - yeah that’s a great idea, let’s put all my passwords in one place so that when it gets hacked (not if but when) you will loose not one but all your passwords in one go! Splendid!