Unraveling the LifeLock ‘hacked passwords’ story – Naked Security

Earlier this month, online identity protection service NortonLifeLock, owned by Arizona-based technology company Gen Digital, sent a security warning to many of its customers.

The warning letter can be viewed online, such as on the website of the Office of the Vermont Attorney General, where it appears under the title NortonLifeLock – Gen Digital Data Breach Notice to Consumers.

The letter begins with a cruel-sounding greeting that says:

We are writing to notify you of an incident involving your personal information.

It continues as follows:

[Our intrusion detection systems] changed us that an unauthorized party is likely to know the email address and password you have used with your Norton account […] and Norton Password Manager. We recommend that you change your password with us and elsewhere immediately.

As opening paragraphs go, this one is pretty straightforward, and contains straightforward if potentially time-consuming advice: someone other than you probably knows your Norton account password; they may have been able to peek into your password manager too; please change all passwords as soon as you can.

What happened here?

But what actually happened here, and was this a breach in the conventional sense?

After all, LastPass, another household name in the password management game, recently announced not only that it had suffered a network intrusion, but also that customer data, including encrypted passwords, had been stolen.

Fortunately, in LastPass’s case, the stolen passwords were not of direct and immediate use to the attackers, because each user’s password vault was protected by a master password, which was not stored by LastPass and therefore was not stolen at the same time. .

The bad guys still have to crack these master passwords first, a task that can take weeks, years, decades, or even longer, for each user, depending on how wisely those passwords were chosen.

Bad choices such as 123456 and iloveyou was probably rumbled during the first hours after the crack, but less predictable combinations such as e.g DaDafD$&RaDogS or tVqFHAAPTjTUmOax will almost certainly last much longer than it would take to change the passwords in your vault.

But if LifeLock just suffered a breach, and the company warns that someone else already knew some users’ account passwords, and perhaps also the master password for all their other passwords…

… isn’t that much worse?

Have these passwords already been cracked somehow?

Another type of fracture

The good news is that this case seems to be a rather different kind of “breach”, probably caused by the risky practice of using the same password for several different online services to make logging into your most used sites a little faster and easier.

Immediately following LifeLock’s early advice to go and change your passwords, the company suggests that:

[B]As of 2022-12-01, an unauthorized third party had used a list of usernames and passwords obtained from another source, such as the dark web, to attempt to log into Norton customer accounts. Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has used your username and password for your account.

The problem with using the same password on multiple different accounts is obvious – if one of your accounts gets compromised, then all of your accounts are pretty much compromised too, because the one stolen password acts as a skeleton key to the other services involved.

Credential filling explained

In fact, the process of testing whether one stolen password works across multiple accounts is so popular with cybercrooks (and is so easily automated) that it even has a special name: identification filling.

If an online criminal guesses, buys on the dark web, steals or phishes a password for an account you use, even something as low as your local news site or your sports club, they will almost immediately try the same password on other likely accounts in your name.

Simply put, they take your username, combine it with the password they already know, and thing the identification into the login pages of as many popular services as they can think of. (Many services these days like to use your email address as a username, making this process even more predictable for attackers.)

By the way, using a single super-complex password “stem” and adding changes for different accounts (such as -fb for Facebook, -tw for Twitter and -tt for Tik Tok) doesn’t help much either.

Passwords that differ by a single character will end up with a completely different encrypted password hash, so stolen password hash databases won’t tell you anything about how similar different password choices are…

…but credential stuffing attacks are used when the attackers already know the plaintext of your password.

Common ways raw passwords end up in criminal hands include:

• Phishing attacks, where you inadvertently enter the correct password on the wrong page, so that it is sent directly to the criminals instead of the service you actually intended to log into.
• keylogger spyware, malicious software that deliberately records the raw keystrokes you type in your browser or other apps on your laptop or phone.
• Poor logging hygiene on the server side, where criminals breaking into a web-based service discover that the company has accidentally logged clear-text passwords to disk instead of storing them only temporarily in memory.
• RAM scraping malware, which run on compromised servers to look out for likely data patterns that appear temporarily in memory, such as credit card details, ID numbers and passwords.

Don’t you blame the victims?

While it looks like LifeLock wasn’t breached, in the conventional sense of cybercriminals breaking into a company’s own networks and snooping on data from the inside, so to speak…

…we have seen some criticism of how this incident was handled.

To be fair, cybersecurity vendors can’t always prevent their customers from “doing the wrong thing” (in Sophos products, for example, we do our best to warn you on screen, bright and bold, if you choose riskier configuration settings than we recommend, but we cannot force you to accept our advice).

In particular, an online service cannot easily prevent you from entering the exact same password on other sites – not least because it has to cooperate with the other sites to do so, or to perform its own tests for credentials, thereby violating the sanctity of the password you selected for that site.

Nevertheless, some critics have suggested that LifeLock could have detected these bulk password-clogging attacks sooner than it did, perhaps by detecting the unusual pattern of login attempts, presumably including many that failed because at least some compromised users did not reuse passwords , or because the password database was imprecise or out of date.

These critics note that 12 days passed from the time the fake login attempts started and the company discovered the anomaly (2022-12-01 to 2022-12-12), and another 10 days from when they first discovered the problem and determined that the problem was almost certain due to a breach of data obtained from a source other than the company’s own networks.

Others have wondered why the company waited until New Year 2023 (2022-12-12 to 2023-01-09) to issue the “breach” notification to affected users, if it was aware of mass password hacking attempts before Christmas 2022.

We won’t try to guess whether the company could have reacted more quickly, but it’s worth remembering – in case this happens to you – that establishing all the salient facts after receiving allegations of “breach” can be a mammoth task. task.

Annoyingly, and perhaps ironically, it is often depressingly easy to find out that you have been directly violated by so-called active adversaries.

Anyone who has seen hundreds of computers simultaneously display a straight-in-your-face ransomware ransom note demanding zillions of dollars in crypto-coins will sadly attest to that.

But finding out what cybercrooks definitely did not do to your network, which turns out to be mainly negative, is often a time-consuming exercise, at least if you want to do it scientifically and with sufficient accuracy to convince yourself, customers and regulators.

What to do?

As far as victim-blaming goes, it’s still important to note that, as far as we know, there’s nothing that LifeLock, or any other password-reused service, can do now, on its own, to fix the underlying cause to this problem for good.

In other words, if bad guys get into your accounts on decently secure services P, Q, and R simply because they discovered you used the same password on not-so-secure site S, the more secure sites can’t stop you from take the same type of risk in the future.

So our immediate tips are:

• If you’re in the habit of reusing passwords, don’t do it anymore! This incident is just one of many in history that draws attention to the dangers involved. Remember, this warning about using a different password for each account applies to everyone, not just LifeLock customers.
• Do not use related passwords on different websites. A complex password stem combined with an easy-to-remember suffix unique to each site will strictly give you a “different” password on each site. But this behavior still leaves a pattern that the bad guys are likely to figure out, even from a simple compromised password example. This “trick” just gives you a false sense of security.
• If you have received a notice from LifeLock, follow the advice in the letter. It’s possible that some users may receive alerts due to unusual logins that were legitimate (eg while on vacation), but read it carefully anyway.
• Consider turning on 2FA for every account you can. LifeLock itself recommends 2FA (two-factor authentication) for Norton accounts, and for all accounts where two-factor authentication is supported. We agree, because stolen passwords alone are of much less use to attackers if you also have 2FA in the way. Do this whether you are a LifeLock customer or not.

We may yet end up in a digital world without passwords at all – many online services are already trying to move in that direction, looking exclusively at switching to other ways of checking your online identity, such as using special hardware tokens or taking biometric measures instead.

But passwords have been with us for more than half a century already, so we suspect they will be with us for many years to come, for some or many, if not all, of our online accounts.