Norton LifeLock has warned that thousands of customers had their accounts compromised recently in a credential stuffing attack. The announcement came in a new data breach notice issued directly to customers by Gen Digital, formerly Symantec Corporation.
Norton also warns that customers of the Norton Password Manager are particularly at risk, believing that the cybercriminals may have obtained passwords and details stored in private customer vaults.
The attacks did not result in a breach of Norton or NortonLifeLock, but rather from account compromises on other platforms.
“Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account,” NortonLifeLock said. The statement was also made to the government of Vermont.
“This username and password combination may potentially also be known to others.”
Around December 1, 2022, a cybercriminal is believed to have used username and password pairs purchased on the dark web to attempt to login to Norton customer accounts.
Norton observed “an unusually large volume” of failed login attempts on December 12, 2022 indicating a credential stuffing attack. The company believes the cybercriminals successfully compromised many customer accounts, believed to be in thousands.
For Norton Password Manager users, the fallout could be dramatic as online account credentials, exposure of secrets, loss of digital assets and fraud are all highly likely.
If Norton LifeLock and Password Manager master keys are similar, cybercriminals could easily pivot between accounts and gain intrusive access to personal accounts and financial data.
Norton recommends all LifeLock and customers of its products enable two-factor authentication as soon as possible where ever possible to protect accounts. The company is also offering free credit monitoring services to help its customers understand potential identity fraud or fraudulent credit activity.
In a statement to BleepingComputer by Gen Digital, they state they have “secured 925,000 inactive and active accounts that may have been targeted by credential stuffing attacks.”
