LifeLock Bug Exposed Millions of Customer Email Addresses

Security blogger, Brian Krebs, recently posted that identity theft protection firm LifeLock — a company that’s built a name for itself based on the promise of helping consumers protect their identities online — may have actually exposed customers to additional attacks from ID thieves and phishers.

Security firm Symantec, which acquired LifeLock in November 2016, took LifeLock.com offline shortly after being contacted by KrebsOnSecurity. According to LifeLock’s marketing literature as of January 2017, the company has more than 4.5 million customer accounts.

Neill Brookman, head of EMEA pre-sales at Janrain, said: "It is ironic that a company promoting their services to consumers to protect against data breaches implements such a basic form of security to manage the user records, allowing a data breach. Using a sequential ID for each consumer record rather than a GUID (globally unique identifier)? suggests they have poor development standards and no proper testing or quality control.

"The use of a sequential ID or email should never be used as an identifier in an application, as it is open to phishing attacks and very insecure. Consumers need to be educated and become more vigilant when signing up to services like LifeLock by checking the URLs presented as part of registration and management, and cancel the service immediately if it appears that a sequential number or their email address is used in the URL."