Symantec’s LifeLock Exposes Customer Email Addresses, Goes Offline

July 26, 2018, 1:03 AM UTC

A page on the website for LifeLock, which offers online identity protection, went offline briefly on Wednesday afternoon after a prominent security researcher disclosed to LifeLock’s parent company a design flaw that allowed easy harvesting of the email addresses of subscribers.

Symantec acquired LifeLock in 2016. LifeLock had more than 4.5 million customers as of early 2017.

Brian Krebs, a veteran security journalist and researcher, was alerted by another researcher, Nathan Reese, to the flaw. The LifeLock site’s subscription-management page uses a simple sequential account number that, when modified, displays the email address of whichever user corresponds to that account.

Such easy access would let malicious parties harvest email addresses and target phishing campaigns at them that purport to be from LifeLock. There’s no evidence that happened thus far, but Reese was able to retrieve 70 email addresses without triggering a lockout.

After Krebs contacted Symantec, the site was taken offline. When it came back online later in the day, the email-list webpage required the entry of a valid email address and no longer simply accepted a subscriber ID.

“This issue was not a vulnerability in the LifeLock member portal,” a Symantec spokesperson said in a statement provided to Fortune. “The issue has been fixed and was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe from marketing emails. Based on our investigation, aside from the 70 email address accesses reported by the researcher, we have no indication at this time of any further suspicious activity on the marketing opt-out page.”

LifeLock paid $12 million to the U.S. Federal Trade Commission and 35 state attorneys general in 2010 to settle charges of false claims after alleging that its CEO had never had his identity stolen. A Phoenix New Times report refuted that claim. In 2015, the FTC demanded another $100 million for violating a 2010 federal court order related to the first settlement. Symantec purchased LifeLock for $2.3 billion two years later.

Clarification, July 26, 2018: The language pertaining to the scope of the temporary shutdown has been adjusted for clarity.