Tag Archive for: Password

Norton Password Manager Hack Results in Huge Security Breach for Users!

/in


1

Editorial Note – Parent company Gen Digital has reached out to us just to confirm that the issue is 100% entirely contained within Norton Password Manager and we would like to clarify, just in case of any ambiguity, that this article bears no reflection on Gen Digital’s other online security interests.

It is, of course, good security practice to have a complex password for your various online accounts. – With this in mind, however, the downside to this is that a good password is typically very difficult to remember. As such, password management software has become rather popular in recent years as effectively representing a one-stop secure depository for all your log-in information.

If you did, however, happen to use Norton Password Manager, then be warned! – Following a report via BleepingComputer, parent company Gen Digital has confirmed a huge security breach which has effectively seen every single user account, at least for a pretty period of time, potentially compromised!

And yes, I think this is what they call irony…

password passwords

Norton Password Manager Users Warned Data Has Been Compromised!

According to the report, unknown person/s managed to obtain highly sensitive log-in information for Norton Password Manager via the Dark Web which, in basic terms, gave them ‘admin’ level access to the service. Through this, they could literally view and access any account, and yes, this includes the saved log-in information.

Now, admittedly, from an individual level, the chances that you have been affected by this breach are very slim. With that being said though, is this really a risk you would want to take? – Just when you thought this couldn’t get any more alarming, however, it would appear that this breach occurred over 6 weeks ago, and with it only just now being publically disclosed, that doesn’t exactly do much to help the reputation of Norton Password Manager nor its user base!

Put simply though, if you happen to use this product to manage your online security, expect an email at pretty much any moment detailing the breach. – For the interim, however, I would strongly advise you to access all the accounts you store on there and ensure you have,…

Source…

Ugh! Norton LifeLock password manager accounts accessed by hackers • Graham Cluley

/in


Ugh! Norton LifeLock password manager accounts accessed by hackers

What’s happened?

If you use Norton lifeLock as your password manager, your account may have been compromised.

Woah. What???

According to Bleeping Computer, Gen, the company behind Norton LifeLock (and other brands including Avast, Avira, AVG, ReputationDefender, and CCleaner), is sending data breach notifications to some of its customers warning that their accounts have been accessed following a credential-stuffing attack.

So Norton LifeLock got hacked?

I’d argue that’s an unfair way to describe what’s happened.

Norton LifeLock didn’t screw up anything like as badly as fellow password manager LastPass did in its recent horrendous hack.

In fact, in the notification being sent to affected Norton LifeLock customers, the company says:

Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account.

But how did a hacker find out the username and password to so many people’s LifeLock accounts?

Credential-stuffing attacks take advantage of the fact that many people still make the mistake of reusing the same passwords in different places on the internet.

If one service gets breached and its password database stolen, hackers can fling those credentials at other online accounts – to see if they might unlock something desirable elsewhere.

When did this attack happen?

The company says that the unauthorised access to customer accounts began on December 1 2022, but things heated up considerably on December 12 when a “large volume” of failed account logins occurred.

What did the hackers access in Norton LifeLock accounts?

The data breach notification says that users’ names, phone numbers, and mailing addresses have been accessed, but TechCrunch reports that the company “cannot rule out that the intruders also accessed customers’ saved passwords.”

Gulp!

What can be done to stop this kind of attack?

Well, the first thing is to STOP REUSING PASSWORDS (Sorry for shouting, but I’ve been saying this for years…)

The other thing you can do is enable two-factor authentication (2FA) on your accounts, which adds an additional layer of protection even if your password…

Source…

The LastPass disclosure of leaked password vaults is being torn apart by security experts

/in


Last week, just before Christmas, LastPass dropped a bombshell announcement: as the result of a breach in August, which led to another breach in November, hackers had gotten their hands on users’ password vaults. While the company insists that your login information is still secure, some cybersecurity experts are heavily criticizing its post, saying that it could make people feel more secure than they actually are and pointing out that this is just the latest in a series of incidents that make it hard to trust the password manager.

LastPass’ December 22nd statement was “full of omissions, half-truths and outright lies,” reads a blog post from Wladimir Palant, a security researcher known for helping originally develop AdBlock Pro, among other things. Some of his criticisms deal with how the company has framed the incident and how transparent it’s being; he accuses the company of trying to portray the August incident where LastPass says “some source code and technical information were stolen” as a separate breach when he says that in reality the company “failed to contain” the breach.

“LastPass’s claim of ‘zero knowledge’ is a bald-faced lie.”

He also highlights LastPass’ admission that the leaked data included “the IP addresses from which customers were accessing the LastPass service,” saying that could let the threat actor “create a complete movement profile” of customers if LastPass was logging every IP address you used with its service.

Another security researcher, Jeremi Gosney, wrote a long post on Mastodon explaining his recommendation to move to another password manager. “LastPass’s claim of ‘zero knowledge’ is a bald-faced lie,” he says, alleging that the company has “about as much knowledge as a password manager can possibly get away with.”

LastPass claims its “zero knowledge” architecture keeps users safe because the company never has access to your master password, which is the thing that hackers would need to unlock the stolen vaults. While Gosney doesn’t dispute that particular point, he does say that the phrase is misleading. “I think most people envision their vault as a sort of encrypted database where the…

Source…

Password protection giant LastPass admits the major data breach that came of its August hack

/in


Popular password manager LastPass has admitted encrypted password vaults were stolen by hackers in an August data breach affecting the company’s millions of users.

The company denied that any sensitive data was accessed at the time, but now claims that the threat actor has since collected data which could be used to guess master passwords.

WATCH THE VIDEO ABOVE: Telstra customers exposed in data breach.

Watch the latest news and stream for free on 7plus >>

Hackers made copies of account information like phone numbers, billing and email addresses, as well as encrypted passwords.

No unencrypted master passwords, used to login to the password aggregate, were obtained, but by using the basic information, LastPass CEO Karim Toubba warned: “The threat actor may attempt to use brute force to guess your master password.”

If best password practices outlined by LastPass were followed by customers, the company said it would be “difficult” for the hackers to guess master passwords this way.

The people behind the hack may also attempt to decrypt the encrypted customer vault, Toubba said.

While the initial breach didn’t appear to access any sensitive customer data, it did access technical information which was used to target a LastPass employee, the company made known in November.

It is now clear that hackers were able to obtain “credentials and keys” from the employee “which were used to access and decrypt some storage volumes within the cloud-based storage service,” Toubba said on Thursday.

“The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”

“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container.”

The company says this vault “contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”

The extent of an August LastPass hack has recently become clear, after threat…

Source…