Serious Security: Unravelling the LifeLock “hacked passwords” story

Earlier this month, the NortonLifeLock online identity protection service, owned by Arizona-based technology company Gen Digital, sent a security warning to many of its customers.

The warning letter can be viewed online, for example on the website of the Office of the Vermont Attorney General, where it appears under the title NortonLifeLock – Gen Digital Data Breach Notice to Consumers.

The letter starts with a dread-sounding salutation that says:

We are writing to notify you of an incident involving your personal information.

It continues as follows:

[Our intrusion detection systems] alerted us that an unauthorized party likely has knowledge of the email and password you have been using with your Norton account […] and your Norton Password Manager. We recommend you change your passwords with us and elsewhere immediately.

As opening paragraphs go, this one is pretty straightforward, and contains uncomplicated if potentially time-consuming advice: someone other than you probably knows your Norton account password; they may have been able to peek into your password manager as well; please change all passwords as soon as you can.

What happened here?

But what actually happened here, and was this a breach in the conventional sense?

After all, LastPass, another well-known name in the password management game, recently announced not only that it had suffered a network intrusion, but also that customer data, including encrypted passwords, had been stolen.

In LastPass’s case, fortunately, the stolen passwords weren’t of direct and immediate use to the attackers, because each user’s password vault was protected by a master password, which wasn’t stored by LastPass and therefore wasn’t stolen at the same time.

The crooks still need to crack those master passwords first, a task that might take weeks, years, decades or even longer, for every user, depending on how wisely those passwords had been chosen.

Bad choices such as 123456 and iloveyou were probably be rumbled within the first few hours of cracking, but less predictable combinations such as DaDafD$&RaDogS or tVqFHAAPTjTUmOax will almost certainly hold out for far longer than it would take to change the passwords in your vault.

But if LifeLock just suffered a breach, and the company is warning that someone else already knew some users’ account passwords, and perhaps also the master password for all their other passwords…

…isn’t that much worse?

Have those passwords already been cracked somehow?

A different sort of breach

The good news is that this case seems to be quite a different sort of “breach”, probably caused by the risky practice of using the same password for several different online services in order to make logging in to your commonly-used sites a bit quicker and easier.

Immediately after LifeLock’s early advice to go and change your paswords, the company suggests that:

[B]eginning around 2022-12-01, an unauthorized third party had used a list of usernames and passwords obtained from another source, such as the dark web, to attempt to log into Norton customer accounts. Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account.

The problem with using the same password on multiple different accounts is obvious – if any one of your accounts gets compromised, then all your accounts are as good as compromised as well, because that one stolen password acts like a skeleton key to the other services involved.

Credential stuffing explained

In fact, the process of testing whether one stolen password works across multiple accounts is so popular with cybercrooks (and is so easily automated) that it even has a special name: credential stuffing.

If an online criminal guesses, buys on the dark web, steals, or phishes a password for any account that you use, even something as low-level as your local news site or your sports club, they will almost immediately try the same password on other likely accounts in your name.

Simply put, the attackers take your username, combine it with the password they already know, and stuff those credentials into the login pages of as many popular services as they can think of.

Many services these days like to use your email address as a username, which makes this process even more predictable for the Bad Guys.

By the way, using a single, hard-to-guess password “stem” and adding modifications for different accounts doesn’t help much, either.

That’s where you try to create fake “complexity” by starting with a common component that is complicated, such as Xo3LCZ6DD4+aY, and then appending uncomplicated modifiers such as -fb for Facebook, -tw for Twitter and -tt for Tik Tok.

Passwords that vary by even a single character will end up with a totally different scrambled password hash, so that stolen databases of password hashes won’t tell you anything about how similar different password choices are…

…but credential stuffing attacks are used when the attackers already know the plaintext of your password, so it’s vital to avoid turning each passord into a handy hint for all the others.

Common ways that unencrypted passwords fall into criminal hands include:

  • Phishing attacks, where you inadvertently type the right password into the wrong site, so it gets sent directly to the criminals instead of to the service where you actually intended to log in.
  • Keylogger spyware, malicious software that deliberately records the raw keystrokes you type into your browser or into other apps on your laptop or phone.
  • Poor server-side logging hygiene, where criminals who break into an online service discover that the company has accidentally been logging plaintext passwords to disk instead of keeping them only temporarily in memory.
  • RAM scraping malware, which runs on compromised servers to watch out for likely data patterns that appear temorarily in memory, such as credit card details, ID numbers, and passwords.

Aren’t you blaming the victims?

Even though it looks as though LifeLock itself didn’t get breached, in the conventional sense of cybercriminals breaking into the company’s own networks and snooping on data from the inside, as it were…

…we’ve seen some criticism of how this incident was handled.

To be fair, cybersecurity vendors can’t always prevent their customers from “doing the wrong thing” (in Sophos products, for example, we do our best to warn you on-screen, brightly and boldly, if you choose configuration settings that are riskier than we recommend, but we can’t force you to accept our advice).

Notably, an online service can’t easily stop you setting exactly the same password on other sites – not least because it would need to collude with those other sites in order to do so, or to conduct credential stuffing tests of its own, thus violating the sanctity of your password.

Nevertheless, some critics have suggested that LifeLock could have spotted these bulk password-stuffing attacks more quickly than it did, perhaps by detecting the unusual pattern of attempted logins, presumably including many that failed because at least some compromised users weren’t re-using passwords, or because the database of stolen passwords was imprecise or out-of-date.

Those critics note that 12 days elapsed between the bogus login attempts starting and the company spotting the anomaly (2022-12-01 to 2022-12-12), and a further 10 days between first noticing the problem and figuring out that the issue was almost certainly down to breached data acquired from some other source than the company’s own networks.

Others have wondered why the company waited until the 2023 New Year (2022-12-12 to 2023-01-09) to send out its “breach” notification to affected users, if it was aware of bulk password stuffing attempts before Christmas 2022.

We’re not going to try to guess whether the company could have reacted more quickly, but it’s worth remembering – in case this ever happens to you – that determining all the salient facts after you receive claims about “a breach” can be a mammoth undertaking.

Annoyingly, and perhaps ironically, finding out that you have been directly breached by so-called active adversaries is often depressingly easy.

Anyone who has seen hundreds of computers simultaneously displaying a right-in-your-face ransomware blackmail note demanding thousands or millions of dollars in cryptocoins will regrettably attest to that.

But figuring out what cybercrooks definitely did not do to your network, which is essentially proving a negative, is often a time-consuming exercise, at least if you want to do it scientifically, and with a sufficient level of accuracy to convince yourself, your customers and the regulators.

What to do?

As for victim-blaming, it’s neverytheless vital to note that, as far as we know, there is nothing that LifeLock, or any other services where passwords were re-used, can do now, on its own, to fix the underyling cause of this problem.

In other words, if crooks get into your accounts on decently-secure services P, Q and R simply because they discovered you used the same password on not-so-secure site S, those more-secure sites can’t stop you taking the same sort of risk in future.

So, our immediate tips are:

  • If you are in the habit of re-using passwords, don’t do it any more! This incident is just one of many in history that draw attention to the dangers involved. Remember that this warning about using a different password for every account applies to everyone, not just to LifeLock customers.
  • Don’t use related passwords on different sites. A complex password stem combined with an easily-memorised suffix unique to each site will, literally speaking, give you a different password on every site. But this behaviour nevertheless leaves am obvious pattern that crooks are likely to figure out, even from a single compromised password sample. This “trick” just gives you a false sense of security.
  • If you received a notification from LifeLock, follow the advice in the letter. It’s possible that some users may receive notifications due to unusual logins that were nevertheless legitimate (e.g. while they on vacation), but read it through carefully anyway.
  • Consider turning on 2FA for any accounts you can. LifeLock itself recommends 2FA (two-factor authentication) for Norton accounts, and for any accounts where two-factor logins are supported. We concur, because stolen passwords on their own are much less use to attackers if you also have 2FA in their way. Do this whether you are a LifeLock customer or not.

We may yet end up in a digital world without any passwords at all – many online services are trying to move in that direction already, looking at switching exclusively to other ways of checking your online identity, such as using special hardware tokens or taking biometric measurements instead.

But passwords have been with us for more than half a century already, so we suspect they will be with us for many years yet, for some or many, if no longer all, of our online accounts.

While we’re still stuck with passwords, let’s make a determined effort to use them in a way that gives as little help to cybercriminals as possible.


go top