Misconfigured LifeLock Database May Lead To Targeted Phishing

Some days you win and some days you lose. One particular day this July, the identity theft protection company, LifeLock lost…big. A researcher found that a misconfigured server allowed him to download email addresses of LifeLock customers. He only accessed a small number of them, but that was enough for him and others to realize that this server was a problem. If a cybercriminal found the same issue, the entire customer base of LifeLock is at risk of receiving targeted phishing emails.

As reported by Brian Krebs and Krebs on Security, the researcher received an email to an address he’d used when he was a LifeLock member. When he clicked the “unsubscribe” link in the email, it took him to a page with a peculiar URL. That email very well could have been a phishing email in another scenario and he wouldn’t even have had a second thought about clicking it. That’s the real danger of this situation.

In that URL was his specific customer ID number. With a little bit of poking around, he found that those numbers are sequential, and he was able to pull the email addresses that were linked to those ID numbers. After retrieving 70 of them, he stopped and reported it to Krebs.

LifeLock subscribers, current and former should be on alert for phishing email messages, SMS messages, and all other types of phishing that may trick them into clicking links or attachments. With just the two pieces of information retrieved in this—email addresses and the fact they are LifeLock subscribers-- a scammer can do a lot of damage. Instead of clicking on any links, especially those that are asking for sensitive information, go directly into your account using a trusted link. There are typically unsubscribing options in there as well as ways to modify other account details. There’s no need to click a link from an email or text message to do this.

Symantec immediately took the page down when Krebs contacted them. He was subsequently told that the issue was due to a third-party managed page that was misconfigured. That may be true, but it was obviously not handled with care. Third parties can be great partners, but it’s up to the company whose data they’re managing to stay on top of them and ensure their customer data isn’t being accidently exposed. This is true no matter what the business does. In this case, it’s not only worrisome; it’s also embarrassing for Symantec. Business owners and managers…don’t let it happen to you.

Stickley on Security
Published August 2, 2018