What happened?

On July 25, a flaw was discovered on LifeLock’s website that unintentionally leaked millions of customer email addresses. The website vulnerability allowed any Web user to pair unique LifeLock subscriber IDs (randomized numbers attributed to each customer), with customer email addresses – similar to the Panera data leak earlier this year.

A security researcher named Nathan Reese first discovered the flaw. He received an email to the account he had previously used for LifeLock, prompting him to renew his identity protection services.

Reese also discovered that the flaw allowed users to unsubscribe customers from LifeLock communications. Upon clicking “unsubscribe,” he was taken to a page that showed his unique LifeLock subscriber ID in the Web address bar.

Human Error or Malicious Attack?

The data leak was not a malicious attack, but a misconfiguration of LifeLock’s website. However, exposing unique LifeLock subscriber IDs potentially gives fraudsters more information about their victims, and therefore more ammunition for future cyber attacks.

Spear phishing, like traditional phishing, aims to impersonate a known person, business or other entity. The goal is to trick victims into divulging personal and financial information, login credentials and other sensitive data that could be used for fraud, identity theft or to make a profit on the Dark Web.

“If I were the bad guy, I would definitely target [LifeLock] customers with a phishing attack,” Reese said. “I know two things about them…that they’re a LifeLock customer and that I have those customers’ email addresses…Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime.”

What should I do?

LifeLock has reportedly fixed the flaw and has no reason to believe the exposed information was misused. Use the tips below to secure your personal data as it relates to this data security event:

If you are currently, or have ever been a member of LifeLock:

  • Be wary of email communications you receive from LifeLock. Fraudsters may target existing or previous LifeLock members in future cybersecurity attacks.
  • Update passwords for any accounts that use affected email addresses for login.
  • Consider enabling two-step authentication for affected email accounts to add an extra layer of protection.