On July 25, 2018, identity theft protection firm, LifeLock, reported that a bug on its website could have been exploited to reveal the email addresses of millions of customers – leaving them vulnerable to attacks from identity thieves using “phishing” campaigns, which are targeted attempts to steal sensitive information in order to swindle specific victims.
After being notified by KrebsOnSecurity about the bug, LifeLock’s parent company, Symantec, took the site offline to make the fix. According to Krebs, the data leak was discovered by security researcher Nathan Reese, who is a former LifeLock subscriber. Reese received an email from LifeLock about renewing his membership, and when he clicked “unsubscribe,” a page showing his subscriber key popped up. He was able to write a script that began sequencing numbers and pulling down email addresses.
“This issue was not a vulnerability in the LifeLock member portal,” a Symantec spokesperson said in a statement provided to Fortune. “The issue has been fixed and was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe from marketing emails. Based on our investigation, aside from the 70 email address accesses reported by the researcher, we have no indication at this time of any further suspicious activity on the marketing opt-out page.”
Those who fall prey to phishing may be forced to deal with having their valuable personal and financial data illegally traded and sold by identity thieves on the black market for months or even years.
What can you do to help stay protected? Phishing emails can appear to come from trusted sources – friends, work, banks, retailers or the IRS – asking you to click a link or download an attachment. Don’t click; delete the email!
Early detection is critical to minimizing damage to your credit and finances. Make it a point to regularly check your credit scores from TransUnion®, Equifax® and Experian® – and examine your credit reports carefully for changes.