NortonLifeLock warns customers that criminals have broken into their Norton Password Manager, an online password manager, and advises that all stored credentials be changed immediately. The password manager can be used via a Norton account and can generate passwords and store them in an “online vault”. The password manager is available as a browser extension and app for Android and iOS.
According to NortonLifeLock, an “unauthorized third party”, using credentials obtained from other sources, logged into affected customers’ Norton accounts and was also able to access stored passwords. This is a credential stuffing attack. Credential stuffing uses previously leaked email addresses and passwords to gain automated account access. Attackers check whether they can also log in to website B with credentials stolen from website A.
The attack is only possible when users reuse their passwords and companies fail to detect and block such automated attacks. By logging into the Norton account, the attacker stole name, telephone number and address information. “We cannot rule out that the unauthorized third party has obtained the data in the password manager, especially if your Password Manager key is the same, or very similar, to that of your Norton account,” the letter said.
The attacker can then use the credentials in the vault themselves or share them with others, NortonLifeLock continues. The security company has reset the passwords of affected customers and recommends that customers use the same password on other websites to change it there as well.
Furthermore, NortonLifeLock states that customers should immediately change all passwords stored in the online password manager. The security company also states that customers should regularly change their passwords.