The 2017 Equifax hack led to the theft of more than 145 million customers’ data. No doubt many flocked to identity theft protection services such as LifeLock in the aftermath. Now, some of those customers might find that they are again in the crosshairs of identity thieves and phishers, due to a vulnerability that left customer data exposed on LifeLock’s website.
At the heart of the problem was an issue with how the website identified customer records. “LifeLock’s web site exposed customer email addresses by tying each customer account to a numeric ‘subscriberkey’ that could be easily enumerated,” explains Brian Kreb on his site KrebsOnSecurity.
The flaw would allow hackers to index email addresses associated with millions of customer accounts. By knowing that a person is a customer of LifeLock and knowing that person’s email address, cybercriminals could send targeted phishing emails to their victims, while pretending to be from LifeLock.
Freelance security researcher Nathan Reese, who discovered the vulnerability, told Krebs, “If I were a bad guy, I would definitely target your (Lifelock’s) customers with a phishing attack because I know two things about them. That they’re a LifeLock customer and that I have those customers’ email addresses. That’s a pretty sharp spear for my spear phishing right there.”
According to Krebs, whoever built the site was not well versed in website authentication and security.
Get the full story at KrebsOnSecurity.