The antivirus software and cybersecurity firm Norton has recently started notifying certain Norton LifeLock customers that a malicious actor has gained access to their Norton accounts and potentially also accessed their password vaults. Users have been advised to change the password for their Norton account and Password Manager immediately.
The news comes shortly after one of the world’s most popular password managers – LastPass – suffered a data breach in which a copy of users’ encrypted password vaults was stolen. Norton has not suffered a data breach and its systems have not been hacked, but there is still a risk to certain users – those that have committed the cardinal sin of password management and have not set complex, unique passwords for their Norton account and password manager.
According to the notification letters now being sent, Norton detected a credential stuffing campaign targeting its users. Credential stuffing is the use of lists of previously compromised passwords to try to gain access to accounts on other platforms. Lists are compiled from multiple data breaches and are used to try to access a wide range of accounts. Credential stuffing attacks can only succeed when there has been password reuse – When the same password has been used to secure accounts on multiple platforms.
Gen Digital, which owns the Norton brand, says it detected a credential stuffing campaign on December 12, 2022, which has been running since at least December 1, 2022, and has been targeting Norton accounts. Notifications have been sent to more than 6,450 individuals whose Norton accounts have been accessed by unauthorized individuals. Those account holders also use the Password Manager feature, which means their Password Manager may have been accessed and is certainly at risk, especially if their Password Manager key is the same or similar to their Norton account password.
The risk doesn’t end there, if their Norton password has been used to secure non-Norton accounts, those accounts are also at risk. Norton says users’ Norton accounts contain information such as first name, last name, phone number, and mailing address, but if their Password Manager has been compromised, all passwords in that account will have been obtained by hackers.
Norton said it has reset the passwords for the affected customers to prevent any further unauthorized access, and numerous measures were taken to counter the efforts of the unauthorized individuals to impede their efforts to validate credentials and access accounts. Affected users have also been offered complimentary credit monitoring services.
“We recommend urgently changing your password, not only with Norton, but also on all other sites where you may have used the same password. All passwords stored in Norton Password Manager should immediately be changed,” explained Norton in the notification.
Norton stressed that this was not a hack, instead, this was a rather unsophisticated attempt to gain access to users’ accounts. Norton provides 2-factor authentication to help secure users’ accounts and this should be implemented by all users. This attack only succeeded due to password reuse. Users should never use the same password more than once, and the passwords that they set should be unique and ideally be generated using the Norton password generator feature.
Password managers are convenient software solutions that help people create complex, unique passwords for their accounts to keep them secure. These solutions store a user’s entire collection of passwords in an encrypted password vault. Naturally, password managers an attractive target for hackers as if one account is compromised, a user’s entire password collection can be obtained.
As the LastPass data breach clearly demonstrated, it is important to choose a password manager that operates under the zero-knowledge model, where the password manager provider does not know users’ passwords. In the event of a data breach, passwords cannot be accessed. As also demonstrated by the LastPass data breach, password vaults can be stolen if the password manager provider is hacked. Those accounts can then be subjected to offline brute force attempts to guess passwords, so the master password must be long, complex, and unique.
Despite the fact that password managers are targeted by hackers, security experts agree that they are a wise choice and will help to improve security, provided of course that they are used correctly. If you put all of your eggs in one basket by using a password manager, that basket needs to be secure. That means setting a master password of at least 12 characters, never reusing a single password, and ensuring 2-factor authentication is enabled.
As an additional protection against credential stuffing and other brute force attacks, consider using a password manager that also allows unique usernames to be created for accounts. Bitwarden, for example, offers this feature, which significantly improves protection against brute force attacks on accounts.