July 27, 2018 by nwilliams
In an ironic turn of events, identity theft protection service LifeLock might not be so well-protected itself. A couple of days ago, a vulnerability in their marketing page allowed users (or perhaps hackers) to access the email addresses of LifeLock users, by changing only one digit in the web address. While LifeLock made it clear that this was not a breach (i.e., hackers did not access the email addresses, they merely could have), and the vulnerability is being resolved, there are still some nuggets of wisdom we can glean from the situation.
Anything Can Cause a Breach
We’ve heard a lot lately about phishing attacks and password-related hacks, but this incident is a good reminder that, when it comes to the internet, any oversight can lead to a potential breach. In this case, it was a little programming detail that theoretically left the door open to millions of users’ email addresses. This does not number among the “big ticket” items that security awareness training typically covers, but it *does* fall under the category of generally taking the work we do on the internet--and the data we protect there--seriously. As LifeLock has proven, it doesn’t take much to have your name potentially sullied...even if no hack actually occurred.
From Molehill to Mountain
Here’s another thing to consider. Even if the email addresses *were* accessed by a hacker, how much trouble would that actually cause? Sure, they’re not intended to be accessible from the company’s webpage (and that’s the principle of the thing), but emails are not hard to get ahold of, generally. What’s the worst a hacker could do with an email address? Well, as KrebsOnSecurity pointed out, having two key pieces of information--a user’s email address and the knowledge that they subscribe to a particular service--sets a hacker up to launch the perfect spear-phishing attack. The hacker can use that inside knowledge, combined with the email address, to craft a spoofed email far more convincing and effective than most phishing attempts. And that phishing email, in turn, can trick the user into giving away really valuable information. So, not only can anything become a potential vulnerability, but the smallest, most innocuous piece of information can turn lethal in the wrong hands.
- As an organization, don’t overlook details that could be putting your users’ data at risk. Make sure that programmers are regularly and carefully reviewing all web pages to ensure total security. (Pssst...an OWASP compliance course can provide a helpful framework for that.)
- As a user, be aware that your data--including your email address--is never 100% secure. Keep this in mind when receiving and responding to emails, and be extra vigilant.