Norton Password Manager hacked, warning users about breaches

Posted:
in General Discussion edited January 2023
Customers of NortonLifeLock are being notified that Norton Password Manager accounts are being breached by hackers, performed via breaches of accounts on other platforms.

An example authentication page
An example authentication page


The notifications to customers of NortonLifeLock advise that hackers are successfully gaining access to Norton Password Manager accounts. However, it is claimed that the attacks were not caused by weak security in the Norton Password Manager systems, but instead via a third-party platform.

"Our own systems were not compromised. However, we strongly believe that an unauthorized third-party knows and has utilized your username and password for your account," the firm said in notices to customers, according to a letter sample shared with the Office of the Vermont Attorney General seen by BleepingComputer.

Specifically, the breach is known as a credential-stuffing attack, where an attacker acquires data from other sources, such as account compromises on other platforms, to try and gain access to the intended target.

In this instance, Norton saw detected an "unusually large volume" of failed login attempts on December 12, which usually indicates attempts at credential stuffing attacks. An internal investigation that ran until December 22 discovered that the attacks started from December 1, and that a number of accounts were successfully compromised.

While the number of affected accounts were not revealed, a statement from NortonLifeLock parent company Gen Digital revealed that approximately 925,000 inactive and active accounts could've been targeted in the attack.

Customers are warned in the notification that attackers may have obtained details stored in private vaults, which could lead to further compromises. Attackers may also have seen the account's first name, last name, phone number, and mailing address.

Norton has since reset passwords on impacted accounts, introduced additional measures to fend off attacks, and advises customers to enable two-factor authentication on their accounts. It also offers the use of a credit monitoring service.

The NortonLifeLock attack is the latest to be publicly known involving password locker services.

In December, LastPass confirmed that an August data breach involved names, addresses, and encrypted password data vaults. By late December, it was claimed that the vaults were potentially crackable for just $100.

Read on AppleInsider

Comments

  • Reply 1 of 15
    XedXed Posts: 2,519member
    So far it looks like 1Password with their inclusion of a locally-created secret key along with your username and password is the most secure option for managing your password.
    chasmgoofy1958williamlondonwatto_cobra
  • Reply 2 of 15
    "...a statement from NortonLifeLock parent company Gen Digital revealed that approximately 925,000 inactive and active accounts could've been targeted in the attack."  Glad I haven't used Norton on personally owned computers.  Also, haven't used anything Norton in more than 10+ years on company owned computers (used competing brands during that timeframe).  Never used 1Password (or any other 3rd party password manager).  May be a good argument to phase out passwords in favor of passkeys (will start investigating passkeys).  

    Have noticed a large increase in spam emails starting about a week before Christmas.  Wondering if a different database was hacked, or some company or companies running low on cash has been selling email addresses in a bid to make money.  
    edited January 2023 watto_cobra
  • Reply 3 of 15
    dewmedewme Posts: 5,335member
    The last time I used Norton software was to use Norton SI to see the performance improvement achieved by tweaking the memory wait states on my 4.77 MHz Intel 8088 PC. I think it bumped the SI benchmark from a 1.0 to a 1.2. Swapping out the Intel 8088 for an NEC V20 gave me a little more bump-up, but still in the 1.x range. Imagine anything today with a benchmark of 1.

    I think the dinosaurs were starting their rapid descent into extinction around the same time.
    watto_cobra
  • Reply 4 of 15
    Password re-use is the most likely vector for the ne'er-do-wells gaining access to the NortonLifeLocker systems. Which makes it painfully obvious that a large portion of the userbase does not and will never understand the point of a password manager.
    watto_cobra
  • Reply 5 of 15
    badmonkbadmonk Posts: 1,285member
    So this occurred because a third party platform had been hacked?  I wonder what that platform was?

    I think this is going to be more common when we get more app stores with less oversight.  Welcome to your future Europe.   Also don’t use LifeLock, if its CEO can be hacked so can you.

    https://www.wired.com/2010/05/lifelock-identity-theft/
    watto_cobra
  • Reply 6 of 15
    Last month we switched from LastPass to 1Password after the LastPass hack. We (my wife and I) spent 3 miserable days changing all of our passwords. What a mess! Government and insurance company sites are the worst for changing passwords - almost impossible without a lot of clicking around and phone calls. 1Password seems to work great though we are still having occasional glitches with cloud passwords at Apple and 1Password. I wish the world would totally implement the Passkey system so passwords become history.
    watto_cobra
  • Reply 7 of 15
    Xed said:
    So far it looks like 1Password with their inclusion of a locally-created secret key along with your username and password is the most secure option for managing your password.

    The most secure option for managing your passwords is to use a password keeper app that keeps its data in an encrypted database stored locally on your device, and doesn't sync it to some cloud server. That's what I do.
    edited January 2023 watto_cobra
  • Reply 8 of 15
    XedXed Posts: 2,519member
    Doodpants said:
    Xed said:
    So far it looks like 1Password with their inclusion of a locally-created secret key along with your username and password is the most secure option for managing your password.

    The most secure option for managing your passwords is to use a password keeper app that keeps its data in an encrypted database stored locally on your device, and doesn't sync it to some cloud server. That's what I do.
    1Password has that option, too, but I sync my encrypted vaults through one of the synced services I already maintain.

    If you're not doing any syncing do you just have the one device or are you manually recreating your vaults on each device? I can't reasonably be expected to recreate 1000s* of entries manually across devices, and then update passwords and secure data in each device when there's a single change so of course I use syncing. As someone who's been using 1Password for over 15 years I have far too much info in my vaults to want to waste time without any gain in security.

    You do you, but don't conflate security with paranoia and try to balance with security with convenience so it can benefit your life, not hinder it.


    * No, of course these aren't all logins. A great deal of the entries are for other data, too. I make extensive use of the Secure Notes section with Markdown formatting to keep a great many things I don't simply want hanging out in my Documents folder more secure.

    StrangeDaysgoofy1958
  • Reply 9 of 15
    chasmchasm Posts: 3,275member
    If you're just an individual who needs to generate and keep strong passwords for websites and similar information, Keychain is far and away your best option.

    Norton has been craptastic for many years now. Whenever I uninstall it for someone they immediately notice their machine (Mac or PC) is suddenly much more responsive.

    If you are a multi-family household with a need for a shared vault for some passwords, take a look at 1Password.

    Nearly all the rest of the third-party password lockers sell personal data about you, especially if you're on the free tier.

    Above all else, stop relying on scraps of paper/little notebooks/your memory and stop reusing passwords. Until Passkeys is universal, Keychain is the next best option.
    StrangeDayswilliamlondonwatto_cobra
  • Reply 10 of 15
    StrangeDaysStrangeDays Posts: 12,844member
    Doodpants said:
    Xed said:
    So far it looks like 1Password with their inclusion of a locally-created secret key along with your username and password is the most secure option for managing your password.

    The most secure option for managing your passwords is to use a password keeper app that keeps its data in an encrypted database stored locally on your device, and doesn't sync it to some cloud server. That's what I do.
    If it doesn't sync to other devices it's of limited use.

    You may as well claim "The most secure option is to print & store your passwords in a 500-lbs gun safe in your home." Yeah it's more secure from hackers, but...of much less use.
    watto_cobra
  • Reply 11 of 15
    StrangeDaysStrangeDays Posts: 12,844member
    It's Apple Keychain for me.
    williamlondonwatto_cobraDogperson
  • Reply 12 of 15
    XedXed Posts: 2,519member
    StrangeDays said:
    It's Apple Keychain for me.
    I find it interesting when people who will only ever choose an Apple product if it's available go with Keychain for keeping their info secure.

    1. Are you utilizing their rudimentary Secure Notes feature? If so, what kind of info do you keep in there?
    2. Where/How do you store information that exceeds the rudimentary nature of just a username and password?
    3. if you were to get your wallet stolen or lost how would you go about contacting all the financial institutions so they can cancel all your cards? Do you keep a list of the cards and their phone numbers on file in your Keychain?
    4. What about secure banking information?
    5. What about digitized copies of DLs, passports, etc, along with all their info in text form for using with various online sites?
    6. How does Keychain deal with letting you know about reused passwords, insecure passwords, vulnerable passwords, compromised websites, etc.?
    7. Can you at least tag and group items for better organization as the typical user has hundreds of unique entries?
    8. Since accessing your iCloud only required a username and password, or just a password from one of your devices after a restart, why would you go with that level of insecurity for info that I presume you want to keep as secure as possible?
    9. Can Keychain account for one-time password submissions? If so, where is that hash stored?
    10. How about info about vehicles, past addresses, secure identity info about people you maintain in your life, documents, sever access info, etc.?



    edited January 2023 williamlondon
  • Reply 13 of 15
    Xed said:
    Doodpants said:
    Xed said:
    So far it looks like 1Password with their inclusion of a locally-created secret key along with your username and password is the most secure option for managing your password.

    The most secure option for managing your passwords is to use a password keeper app that keeps its data in an encrypted database stored locally on your device, and doesn't sync it to some cloud server. That's what I do.
    1Password has that option, too, but I sync my encrypted vaults through one of the synced services I already maintain.

    If you're not doing any syncing do you just have the one device or are you manually recreating your vaults on each device? I can't reasonably be expected to recreate 1000s* of entries manually across devices, and then update passwords and secure data in each device when there's a single change so of course I use syncing. As someone who's been using 1Password for over 15 years I have far too much info in my vaults to want to waste time without any gain in security.

    You do you, but don't conflate security with paranoia and try to balance with security with convenience so it can benefit your life, not hinder it.


    * No, of course these aren't all logins. A great deal of the entries are for other data, too. I make extensive use of the Secure Notes section with Markdown formatting to keep a great many things I don't simply want hanging out in my Documents folder more secure.

    I've been using only 1Password for over 10 years, and while I may not have 1000's of entries, it's well over 1000 total with everything in it.  I also use it for other data besides logins.  It is so useful in that way. I also sync between multiple devices to keep my sanity.  It is well worth every penny I have ever spent on it!

    watto_cobra
  • Reply 14 of 15
    I am using Safe+ as a password manager – it stores all data locally on my devices and can be synced via WiFi.
    watto_cobra
  • Reply 15 of 15
    Doodpants said:
    Xed said:
    So far it looks like 1Password with their inclusion of a locally-created secret key along with your username and password is the most secure option for managing your password.

    The most secure option for managing your passwords is to use a password keeper app that keeps its data in an encrypted database stored locally on your device, and doesn't sync it to some cloud server. That's what I do.
    If it doesn't sync to other devices it's of limited use.

    You may as well claim "The most secure option is to print & store your passwords in a 500-lbs gun safe in your home." Yeah it's more secure from hackers, but...of much less use.

    Yeah, my usage habits are probably atypical, because I'm old. I have a password keeper app (mSecure) only on my phone, since it's the device I always have with me. But I generally don't use my phone for internet stuff. So when I need to enter a password somewhere, I look it up with my eyeballs and enter it with my fingers, rather than using the app itself to enter it. Just like I did 25 years ago with the password keeper app on my Palm Pilot. :smiley:

    And part of it is that I don't trust cloud services. Or don't want to rely on cloud services. Partly because of data breaches like the one in this article, and partly because I like to be in full possession of my data.
    edited January 2023
Sign In or Register to comment.