Nearly 15 Million Consumers Exposed by Breach & Vulnerable Website

Cybercriminals continually target personally identifiable information, which when matched with financial data can enable criminals to compromise identities. Facebook’s market woes and ongoing influence campaign pronouncement overshadowed some recent breach news.

Brian Krebs in his blog KrebsOnSecurity reported, “Identity theft protection firm LifeLock — a company that is built a name for itself based on the promise of helping consumers protect their identities online — may have exposed customers to additional attacks from ID thieves and phishers.” The company noted Krebs fixed a vulnerability on its site that allowed anyone with a web browser to index email addresses associated with millions of customer accounts, or to unsubscribe users from all communications.

LifeLock’s website exposed customer email addresses by tying each customer account to a numeric “subscriberkey.” Krebs observed it would be trivial to write a simple script that pulls the email address of every LifeLock subscriber, which reportedly exceeds 4.5 million. Lifelock stated, “We have no indication at this time of any further suspicious activity on the marketing opt-out page.”

Several cybersecurity experts weighed in on the LifeLock vulnerability.

Chris Stoneneff, vice president of security solutions, Bomgar said, “No matter who the vendor email appears to come from, don’t click on links or call the numbers in those emails. If I have a relationship with the vendor already, and there is an interesting offer or message, call the company directly or go to their website directly and talk to the vendor directly.” Stoneneff held in this world people want easy access and one-click type protection, but convenience makes companies that collect this information exceptionally high value targets.

“Krebs describes a web team that ‘lacked a basic understanding of website authentication and security,’” Pravin Kothari, CEO, CipherCloud said. “This poor set-up seems to have allowed anyone to harvest all of the LifeLock subscriber emails, potentially for a phishing campaign or worse.” Kothari suggested LifeLock should have copied what the financial industry does. “They regularly hire white hat hackers to penetration test their network and external defenses.”

Paul Bischoff, privacy advocate, Comparitech.com, stated, “The website vulnerability is a bit embarrassing for a company devoted to protecting people’s online identities, especially because it’s such a rookie mistake to make.” Bischoff added it was not particularly severe and patched before doing any real harm, according to Lifelock.

Mounir Hahad, head of threat research, Juniper Networks, maintained this is a poor programming practice, not a misconfiguration. “On a positive note, it’s good that only email addresses were leaked. Single email addresses with names, or even a few hundred, might not have much street value on the dark web. Hahad added that the trouble begins when hackers can cross-reference email addresses and subscriber IDs to the billions of previously leaked online accounts.

“It’s bad enough that our personal information is under assault, but we also have to be extremely wary of companies that are exploiting attacks to drum up business. It is inexcusable for a company like LifeLock to have anything but the most resilient systems and security practices,” Willy Leichter, vice president of marketing, Virsec said. These companies Leichter explained store multiple credit cards, SSNs, banking accounts, address info and more to monitor unauthorized use. “Attackers who penetrate these services can hit the jackpot of personal data in a one-stop shop.”

Then there is Dixons Carphone, a multinational electronic and telecommunications retailer/services company headquartered in London, which in June 2018 acknowledged a data breach involving an estimated 5.9 million payment cards and 1.2 million personal data records. Upon further review Dixons Carphone now said the breach involved 10 million customers.

Bill Evans, vice president and security expert, One Identity, asked. “How or why did the investigators miss so many breached records? They managed to find the first million but missed the other nine million? Seems odd. It may be some time before we know as the details remain sketchy.”

Evans suggested the paradox is that Dixon’s reported information from most of the stolen credit cards protected by the pin and chip security strategy. “One has to wonder whether this same strategy was in place within the realm of the administrators at Dixons?”