Norton Password Manager hacked, warning users about breaches

An instance authentication web page

AppleInsider might earn an affiliate fee on purchases made by hyperlinks on our website.

The notifications to clients of NortonLifeLock advise that hackers are efficiently having access to Norton Password Supervisor accounts. Nevertheless, it’s claimed that the assaults weren’t brought on by weak safety within the Norton Password Supervisor methods, however as an alternative through a third-party platform.

“Our personal methods weren’t compromised. Nevertheless, we strongly consider that an unauthorized third-party is aware of and has utilized your username and password in your account,” the agency stated in notices to clients, based on a letter pattern shared with the Workplace of the Vermont Lawyer Normal seen by BleepingComputer.

Particularly, the breach is called a credential-stuffing assault, the place an attacker acquires knowledge from different sources, comparable to account compromises on different platforms, to attempt to acquire entry to the meant goal.

On this occasion, Norton noticed detected an “unusually giant quantity” of failed login makes an attempt on December 12, which often signifies makes an attempt at credential stuffing assaults. An inner investigation that ran till December 22 found that the assaults began from December 1, and that a variety of accounts have been efficiently compromised.

Whereas the variety of affected accounts weren’t revealed, a press release from NortonLifeLock mum or dad firm Gen Digital revealed that roughly 925,000 inactive and lively accounts may’ve been focused within the assault.

Clients are warned within the notification that attackers might have obtained particulars saved in personal vaults, which may result in additional compromises. Attackers may additionally have seen the account’s first title, final title, cellphone quantity, and mailing handle.

Norton has since reset passwords on impacted accounts, launched extra measures to fend off assaults, and advises clients to allow two-factor authentication on their accounts. It additionally affords using a credit score monitoring service.

The NortonLifeLock assault is the most recent to be publicly identified involving password locker providers.

In December, LastPass confirmed that an August data breach concerned names, addresses, and encrypted password knowledge vaults. By late December, it was claimed that the vaults have been probably crackable for just $100.