Norton Lifelock password manager hacked. They just sent out official notice this week. They first detected signs of a hacking attempt in December.

[Uttamattamakin]

Summary

Another password manager hacked.  They first saw signs of a possible hack in progress in early December and confirmed it in just the last few days. 

 

Quotes

Quote

The company said it found that the intruders had compromised accounts as far back as December 1, close to two weeks before its systems detected a “large volume” of failed logins to customer accounts on December 12.(emphasis is mine)

 

QUOTE

“In accessing your account with your username and password, the unauthorized third party may have viewed your first name, last name, phone number, and mailing address,” the data breach notice said. The notice was sent to customers that it believes use its password manager feature, because the company cannot rule out that the intruders also accessed customers’ saved passwords.  (emphasis is mine)

UNQUOTE

 

I removed this from a official "quote" format because some people were not expanding it to read the whole thing then writing that there was not a chance information was really compromised.  Yes this is real if you have Norton Life lock see to your passwords.  Don't wait until you know 100% you have been hacked / compromised / or whatever softer word you want.  There is nothing like being on the phone with the bank and trying to convince them you didn't spend the money. 

 

I also want to clarify when the notices went out.  

According to this website which the original "bleeping computer" article cites it shows a notice sent to the government of Vermont on January 9th.  So from December 1st or so to Jan 9th they maybe had a user here or there to verify their identity.   As far as a general notice and admission to being under attack it would be January 9th.  With the first news report, at bleeping computer on the 13th.   I only heard about it because of a youtube video made by a security focused channel. 

 

http://ago.vermont.gov/blog/2023/01/09/nortonlifelock-gen-digital-data-breach-notice-to-consumers/

 

*

 

My thoughts

DO NOT WAIT for it to be confirmed that passwords have been compromised.  For at least key accounts, banks, jobs and ecommerce sites that save your information, change your passwords now if you used this service.  Ducking only helps if you do it preemptively.  Without bringing up too much unrelated stuff, in a conversation here I get the idea many users do not appreciate how much hackers would love to compromise well known cloud based services.  Password managers are a castle on the landscape of the internet.  That is where the crown jewels are kept.  No matter how secure and professional they are they are a target and under constant siege.

 

Because someone may ask this is not the same hack as the lastpass hack this is another one.  

IF you want to be really secure and use a password manager do not use one that is cloud based or synced to servers that will be a target.  A good password manager to use would be keepass. https://keepass.info/ This is free and open source.  It keeps an encrypted copy of your passwords on your device.  It is what is used within the very secure operating systems Whonix (a linux distro one runs in a VM and which sends all traffic via Tor) and Qubes (a daily driver OS in which almost everything is done in isolated VM's.  In qubes keepass would live in its own stripped down VM).+

 

The following steps should be used with or without a password manager. 

• Change all passwords on a regular basis.  At least every few months. 
• If you have the memory to do so simply memorize certain key passwords.  i.e. for your bank. 
• Consider storing passwords offline as in written on paper and in a location you feel secure in. 
• If you use an online password manager, most have a password generator, use it to generate passwords. 
• Choose a password for the manager that is long and hard to guess. 

Don't wait until you are told your passwords are  compromised to protect your crucial accounts. 

*Given my own experience trying to notify of possible security issue's I've heard of and seen reported here I get what this channel says at the end of their video.  Security issues are not the most sexy thing to report on.  They are not pleasant, shiny, or popular.  No one wants to contemplate that the lock on their door only stops the honest, and only stops the dishonest who are not determined enough. 

 

Sources

https://techcrunch.com/2023/01/15/norton-lifelock-password-manager-data/  Reported 20 hours ago

https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-hackers-breached-password-manager-accounts/  Reported 2 days ago

 

Edited January 16, 2023 by Uttamattamakin
Adding context and unhiding a KEY part of the quote that was hidden by default.

[emosun]

the notebook with passwords written in pen is starting to look pretty good again

[TetraSky]

You'd think a security company would be, you know... Secure. 

 

And shit like this is why I went with Keepass long ago instead of choosing a cloud based solution like everyone else was doing at the time.

Never trust "the cloud", no matter how convenient it is. Local is best.

At least, if my database leaks out, it will have been my own damn fault and not something out of my power because some idiot inserted a flashdrive they randomly found in the parking lot into a work computer.

[Uttamattamakin]

Just now, emosun said:

the notebook with passwords written in pen is starting to look pretty good again

By the time a crook has compromised it you have bigger problems. 

[Uttamattamakin]

1 minute ago, TetraSky said:

You'd think a security company would be, you know... Secure. 

 

And shit like this is why I went with Keepass long ago instead of choosing a cloud based solution like everyone else was doing at the time.

Never trust "the cloud", no matter how convenient it is. Local is best.

 

Local is best but ... people want their info available on their phone, tablet, or work computer when traveling.  The idea of a personal cloud living on your hardware, on your network, in your house is a good one.  At least then if a hacker attacks you they'll have to have been targeting you specifically.  

1 minute ago, TetraSky said:

At least, if my database leaks out, it will have been my own damn fault and not something out of my power because some idiot inserted a flashdrive they randomly found in the parking lot into a work computer.

Ah yes the way stuxnet got into Iran's gas centrifuges.  (or the ways it got onto so many computers after Iran reverse engineered it). 

[wanderingfool2]

To everyone reading just this thread and not the article, take a deep breath in and exhale.  It's an exaggeration of what happened to really say LifeLock was hacked.  We really need to start having different non-techy words to refer to "hacks" as the title is super misleading and super disingenuous to what is claimed to have happened.

 

Norton mentioned that some accounts were compromised via credential stuffing.  i.e. The people who got their accounts compromised were the people who reused their passwords.

 

@Uttamattamakin try to read the article and understand what has happened before shouting to the world that the sky is falling; as all you did was make it seem as though Norton itself was compromised and as though everyone's passwords are now immediately available when in reality people reused their passwords and used the same one with a password manager.  Under the same concept, I could try claiming Outlook was hacked, or any sites was hacked (as many of those sites see credential stuffing happening every day).  The only difference is that Norton reported this as there was a surge with someone attempting it to access the accounts.  Even your article mentioned only 6,450 users were affected by this.

 

Quote from Norton

Quote

Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account

Quote

Gen Digital said it sent notices to about 6,450 customers whose accounts were compromised.

 

Essentially, if you were foolish enough to use a password in multiple places and you used the same password for the utility that stores all of your passwords then you might have been compromised.  If you didn't reuse a password for the password that protects all your other passwords then you are probably okay.

 

So I'll repeat this is bold so that everyone can easily see this.  Norton LifeLock does NOT appear to be hacked, accounts were compromised because people used their password that protects their password on other sites as well

 

34 minutes ago, TetraSky said:

You'd think a security company would be, you know... Secure. 

It's a massively click-bait title and summary of what happened.  The service is still secure apparently, it's just people reused their login credentials.  There's no way to really prevent against user error. To put this in perspective, they apparently had 500 million accounts...they sent out 6450 notices of compromise to accounts that were accessed.

 

If lets say you used 2FA, you were not compromised, if you had an unique password (which you should) to access a list of passwords then you shouldn't be compromised.

[tikker]

1 hour ago, wanderingfool2 said:

To everyone reading just this thread and not the article, take a deep breath in and exhale.  It's an exaggeration of what happened to really say LifeLock was hacked.  We really need to start having different non-techy words to refer to "hacks" as the title is super misleading and super disingenuous to what is claimed to have happened.

Agreed. The main thing that is not super clear to me from the cited articles is when the notices were sent. I guess the answer is bureaucracy, but a notable delay between a confirmation of a breach and notifying customers would be my biggest critique here.

[Lurick]

2 hours ago, Uttamattamakin said:

 

Local is best but ... people want their info available on their phone, tablet, or work computer when traveling.  The idea of a personal cloud living on your hardware, on your network, in your house is a good one.  At least then if a hacker attacks you they'll have to have been targeting you specifically. 

Ah, the old "just host i yourself and open ports" approach to hosting a server with all your passwords. Because THAT'S super secure and simple for the AVERAGE end user.....

/s

[Uttamattamakin]

3 hours ago, wanderingfool2 said:

To everyone reading just this thread and not the article, take a deep breath in and exhale.  It's an exaggeration of what happened to really say LifeLock was hacked.  We really need to start having different non-techy words to refer to "hacks" as the title is super misleading and super disingenuous to what is claimed to have happened.

 

Titles of articles are of finite length. People need to read more.  Also the purpose of this forum is not to replace reading the actual cited articles or sources.   This is a forum not a blog, or a news site in and of itself.   The TLDR is if you use North Life lock it has been "compromised",  breached,  these are all synonyms for hacked.  Change your passwords then take a deep breath. 

 

3 hours ago, wanderingfool2 said:

Norton mentioned that some accounts were compromised via credential stuffing.  i.e. The people who got their accounts compromised were the people who reused their passwords.

 

@Uttamattamakin try to read the article and understand what has happened before shouting to the world that the sky is falling; as all you did was make it seem as though Norton itself was compromised and as though everyone's passwords are now immediately available when in reality people reused their passwords and used the same one with a password manager.  Under the same concept, I could try claiming Outlook was hacked, or any sites was hacked (as many of those sites see credential stuffing happening every day).  The only difference is that Norton reported this as there was a surge with someone attempting it to access the accounts.  Even your article mentioned only 6,450 users were affected by this.

IF you clicked on the quote I had above you'd see this quote from the article which contradicts what you said.  SO YOU TRY TO READ AND DON'T BE UNCIVIL.  

 

UNQUOTE. 

“In accessing your account with your username and password, the unauthorized third party may have viewed your first name, last name, phone number, and mailing address,” the data breach notice said. The notice was sent to customers that it believes use its password manager feature, because the company cannot rule out that the intruders also accessed customers’ saved passwords.  (emphasis is mine)

UNQUOTE. 

 

This is a quote I am not putting in a quote lest people miss it. 

 

3 hours ago, wanderingfool2 said:

Quote from Norton

 

Essentially, if you were foolish enough to use a password in multiple places and you used the same password for the utility that stores all of your passwords then you might have been compromised.  If you didn't reuse a password for the password that protects all your other passwords then you are probably okay.

 

So I'll repeat this is bold so that everyone can easily see this.  Norton LifeLock does NOT appear to be hacked, accounts were compromised because people used their password that protects their password on other sites as well

 

The direct quote from them contradicts this.  Call it by another word compromised if you like. 

3 hours ago, wanderingfool2 said:

 

It's a massively click-bait title and summary of what happened.  The service is still secure apparently, it's just people reused their login credentials.  There's no way to really prevent against user error. To put this in perspective, they apparently had 500 million accounts...they sent out 6450 notices of compromise to accounts that were accessed.

 

If lets say you used 2FA, you were not compromised, if you had an unique password (which you should) to access a list of passwords then you shouldn't be compromised.

As for hypotehticals about if people used 2FA etc etc.  Goes against what the article says.  When alerting people to an emerging situation give information.  Give people a heads up, then let them act.  

 

 

[Uttamattamakin]

1 hour ago, Lurick said:

Ah, the old "just host i yourself and open ports" approach to hosting a server with all your passwords. Because THAT'S super secure and simple for the AVERAGE end user.....

/s

True but why would a random hacker target YOU?  Who are you?  Do you work for a bank, the NSA, CIA, or in R and D.  Are you a known person hackers would think to target?  

 

The strategy of hosting your own information on your own servers with your own security is to keep from being caught up in a mass hack.    We have to balance access to information with security.  

I said before the most secure storage of information would be to chisel it in granite  then bury it in concrete.  Great but what good does that do anyone for 1000-2000 years (when the concrete wears away)?   The point is to practice good operational security and a data backup plan.  Why is that controversial? 

[Lurick]

2 minutes ago, Uttamattamakin said:

True but why would a random hacker target YOU?  Who are you?  Do you work for a bank, the NSA, CIA, or in R and D.  Are you a known person hackers would think to target?  

 

The strategy of hosting your own information on your own servers with your own security is to keep from being caught up in a mass hack.    We have to balance access to information with security.  

I said before the most secure storage of information would be to chisel it in granite  then bury it in concrete.  Great but what good does that do anyone for 1000-2000 years (when the concrete wears away)?   The point is to practice good operational security and a data backup plan.  Why is that controversial? 

It's not about super sekret h4x0rs from the government targeting you. It's about bots scanning the internet for open ports and then trying common passwords against the login pages and flagging it even. You're asking your average Joe who thinks DogName+12345 is secure and you want them to host a database of all their credentials on the open internet and keep that system secure?

[Uttamattamakin]

1 hour ago, tikker said:

Agreed. The main thing that is not super clear to me from the cited articles is when the notices were sent. I guess the answer is bureaucracy, but a notable delay between a confirmation of a breach and notifying customers would be my biggest critique here.

According to this website which the original "bleeping computer" article cites it shows a notice sent to the government of Vermont on January 9th. 

 

So from December 1st or so to Jan 9th they maybe had a user here or there to verify their identity.   As far as a general notice and admission to being under attack it would be January 9th.  With the first news report, at bleeping computer on the 13th.   I only heard about it because of a youtube video made by a security focused channel. 

 

http://ago.vermont.gov/blog/2023/01/09/nortonlifelock-gen-digital-data-breach-notice-to-consumers/ 

 

 

[Uttamattamakin]

3 minutes ago, Lurick said:

It's not about super sekret h4x0rs from the government targeting you. It's about bots scanning the internet for open ports and then trying common passwords against the login pages and flagging it even. You're asking your average Joe who thinks DogName+12345 is secure and you want them to host a database of all their credentials on the open internet and keep that system secure?

Stop jumping on an anti Utta bandwagon and think clearly for a minute. 

What motivates hackers? 

Money

Power

 

What information is worth money and grants power? 

Financial information (everyone has that)

Trade secrets and industrial secrets. 

National Security secrets.  (Trying not to mention a certain political figure from the US... ran for president a while back for that matter a couple other people ..)

Military secrets

Engineering and applied science research 

 

The average person has not the money,  nor the information worth money that a hacker would spend the time on.    Collect the information of a million or more people and that's a lot of money and a lot of information.  That's the kind of thing that can make a Black hat hacker famous or rich.  Do that, get caught, go to prison, then get a job as a security consultant.  It's a real career path.   That is a thing people have done. 

 

[Lurick]

6 minutes ago, Uttamattamakin said:

Stop jumping on an anti Utta bandwagon and think clearly for a minute. 

What motivates hackers? 

Money

Power

 

What information is worth money and grants power? 

Financial information (everyone has that)

Trade secrets and industrial secrets. 

National Security secrets.  (Trying not to mention a certain political figure from the US... ran for president a while back for that matter a couple other people ..)

Military secrets

Engineering and applied science research 

 

The average person has not the money,  nor the information worth money that a hacker would spend the time on.    Collect the information of a million or more people and that's a lot of money and a lot of information.  That's the kind of thing that can make a Black hat hacker famous or rich.  Do that, get caught, go to prison, then get a job as a security consultant.  It's a real career path.   That is a thing people have done. 

 

I can write a script in 30 minutes that crawls the internet probing for open ports and gives me results. I can tweak that script to try various logins depending on how it's presented. A little more time and I can take a list of known banks and once logged in scan for that, attempt to login to those banks, and then collect all sorts of information or even transfer funds out. You're seriously giving the average cyber criminal too much credit if you think they're not going to spin up some scripts on AWS or in some other nation that doesn't give a damn's servers and just hammer the web looking for common open ports and trying logins and common vulnerabilities to steal some money from your average person. If money is so important why do most cyber criminals send emails saying your info has been stolen and asking for money? Because it works! Minimal effort for maximum gain.

[Uttamattamakin]

22 minutes ago, Lurick said:

I can write a script in 30 minutes that crawls the internet probing for open ports and gives me results. I can tweak that script to try various logins depending on how it's presented. A little more time and I can take a list of known banks and once logged in scan for that, attempt to login to those banks, and then collect all sorts of information or even transfer funds out. You're seriously giving the average cyber criminal too much credit if you think they're not going to spin up some scripts on AWS or in some other nation that doesn't give a damn's servers and just hammer the web looking for common open ports and trying logins and common vulnerabilities to steal some money from your average person. If money is so important why do most cyber criminals send emails saying your info has been stolen and asking for money? Because it works! Minimal effort for maximum gain.

I am aware of "war dialing" buddy.  I've been aware of this since Professor Falken was playing Chess with Joshua.  The average cyber criminal putting this on AWS though ... only if they first compromised the AWS account of someone else who can take the fall.  Certainly not their own.  As for nation state level actors there is no stopping them. 

The average hacker who has some common sense...  The script you describe is basically an elaboration on that idea. 

 

*

Even that usually has a target of some kind.   You have a rough idea of what system you are trying to breach. (So I hear I've never done that.  IJS)   A system that has some value to the hacker.  Hiding in plain sight is one form of security.  Make your system appear average, and normal.   FURTHERMORE doesn't everything you just said apply to even a corporate data center?  We can apply security to our own systems choom.  Like if you are a millionaire and have some real money to go after or some real JUICY information stored in the clear on your devices then sure take more precautions.  For most people being unknown and having things of minimal or sentimental value is protection.  Can't steal what one does not have. 

In fact ... since most home internet does not have a static IP address being able to set up a script to War scan a large block of the internet, then come back and try  to social engineer the password.  The time it takes to go through Falkens maze and figure out their secret password it would be a different ip address within hours. 
 

This is an example of why to not make a password simply the name of anything you like or do or anyone you know.  This is also what we did to Google things back in the day. 

 (This as you know is why most home internet has a dynamic IP along with other technical considerations.  ipv6 may have changed this and broadband may change this depending on the ISP).    Assuming the person has a static IP you may have a point.  Your script could perhaps try the same ip and see if it finds the same system twice separated in time.  So a static IP would be a marker of a possible home server to compromise.

This leads to another story from the video that got me on this story. 

Quote

 

https://www.darkreading.com/threat-intelligence/malware-standard-android-tv-box-amazon

Malware Comes Standard With This Android TV Box on Amazon

The bargain T95 Android TV device was delivered with preinstalled malware, adding to a trend of Droid devices coming out-of-the-box tainted.

 

 

Having more security than your standard home router could be done for not a lot of money.  Anyone trying to host their own personal cloud would know about all of that.  

Trying to keep it light and fun.  I will now step away and ponder that the guy in the movie clips above now looks like this.

Just totally feeling this right now.  

 

[wanderingfool2]

22 minutes ago, Uttamattamakin said:

IF you clicked on the quote I had above you'd see this quote from the article which contradicts what you said. 

You are simply fear mongering.

 

It is credential stuffing, it clearly spells that out in the first few paragraphs of both of the articles you posted.  The quote you posted is for those who people who were foolish enough to reuse their password and email.

 

To be clear, when people say XYZ was hack it has a greatly different connotation than what is the truth.  Hacker tried using reused passwords to access Norton LifeLock.  You heavily imply that LifeLock was compromised, which it really wasn't.  Individuals might be compromised, but that is a completely different tail from what you are singing.

 

31 minutes ago, Uttamattamakin said:

The TLDR is if you use North Life lock it has been "compromised",  breached,  these are all synonyms for hacked

No Life Lock wasn't compromised.  Users who reused passwords were compromised.  Two very different things! One implies the system itself was breached, which it wasn't.  The hackers were using the correct password and email combinations.

 

33 minutes ago, Uttamattamakin said:

Titles of articles are of finite length. People need to read more.  Also the purpose of this forum is not to replace reading the actual cited articles or sources.   This is a forum not a blog, or a news site in and of itself.

But you either intentionally or unintentionally are completely ignoring a major key fact that the hackers were using usernames and passwords harvested from other sites not from Norton.  Some other site got hacked, not Norton.

 

36 minutes ago, Uttamattamakin said:

As for hypotehticals about if people used 2FA etc etc.  Goes against what the article says.  When alerting people to an emerging situation give information.  Give people a heads up, then let them act.  

37 minutes ago, Uttamattamakin said:

The direct quote from them contradicts this.  Call it by another word compromised if you like. 

Read the article and try understanding it.  It's literally the second sentence

Quote

In a notice to customers, Gen Digital, the parent company of Norton LifeLock, said that the likely culprit was a credential stuffing attack — where previously exposed or breached credentials are used to break into accounts on different sites and services that share the same passwords — rather than a compromise of its systems

Plain and simple, it was a credential stuffing attack.  All the statements are about credential stuffing, they were alerted to the issue because of the large volume of failed login attempts.  So what I said is very much the most likely truth as there is no evidence to speak of otherwise that Norton LifeLock itself was compromised.

 

Again there is a big difference between having peoples accounts compromised compared to Norton itself being hacked.  You are screaming the sky is falling when it's just a touch of rain.

[Uttamattamakin]

7 minutes ago, wanderingfool2 said:

 

Again there is a big difference between having peoples accounts compromised compared to Norton itself being hacked.  You are screaming the sky is falling when it's just a touch of rain.

Again.  I am merely reporting what is being said in good faith.  Please don't accuse me of any bad faith as I have not done that to you or anyone else. 

 

"For Customers utilizing the Norton Password Manager feature, the notice warns that the attackers might have obtained details stored in the private vaults. " 

 

 

[wanderingfool2]

1 minute ago, Uttamattamakin said:

Again.  I am merely reporting what is being said in good faith.  Please don't accuse me of any bad faith as I have not done that to you or anyone else. 

Just like reporting how One Drive was compromised was in good faith when everything pointed to it being a simple update, because a single user posted they were compromised.

 

You posted heavily implying that LifeLock itself was compromised, when it really wasn't.  It's a simple case of people reusing their password causing their Norton account to be compromised.  That does not mean Norton itself was hacked.  Having click-bait titles and not including details like the fact that the accounts were "compromised" because the person was reusing their password is a major issue.

[Quackers101]

still wouldn't norton with the norton, can't trust mcAfee, oh wait. for some of the things norton has done and mcafee as good things, just wouldnt trust anything they are doing anyways. As seen with the crypto, trends, bad UI, and lack of user control. also when there are better options are out there.

Would be cool if LTT did on anti-virus tech, I guess they had one about "what one needs" or password managers? (maybe ad or sponsored video)

[StDragon]

6 hours ago, Uttamattamakin said:

IF you want to be really secure and use a password manager do not use one that is cloud based or synced to servers that will be a target.  A good password manager to use would be keepass. https://keepass.info/ This is free and open source.  It keeps an encrypted copy of your passwords on your device.  It is what is used within the very secure operating systems Whonix (a linux distro one runs in a VM and which sends all traffic via Tor) and Qubes (a daily driver OS in which almost everything is done in isolated VM's.  In qubes keepass would live in its own stripped down VM).+

I wouldn't do that if I were you. If a hacker gains access to the offline database, they could attempt brute-force hacking and might even be successful within months or hours depending on the complexity of the master password and the size of the GPU farm to throw compute resources at it.

 

This is what $15,000 can do
 

Quote

To make their point, the watchdog spent less than $15,000 on building a password-cracking rig — a setup of a high-performance computer or several chained together — with the computing power designed to take on complex mathematical tasks, like recovering hashed passwords. Within the first 90 minutes, the watchdog was able to recover nearly 14,000 employee passwords, or about 16% of all department accounts, including passwords like 'Polar_bear65' and 'Nationalparks2014!'.

 

The watchdog also recovered hundreds of accounts belonging to senior government employees and other accounts with elevated security privileges for accessing sensitive data and systems. Another 4,200 hashed passwords were cracked over an additional eight weeks of testing.

Those aren't what I would consider "weak" passwords. But yeah, with dictionary attacks, it's absolutely weak sauce. If you're going to make a PW, make it an entire sentence at the very least (with random case, number, and special character thrown in).

 

At least with online PW management, there's MFA used and tar pitting of incoming connections to prevent what otherwise would be a DOS attack in the futile attempt. Of course, it doesn't help that LastPass had their backups downloaded. I can only imagine it's a matter of time before the master PWs are cracked there too offline. 

[tikker]

2 hours ago, Uttamattamakin said:

According to this website which the original "bleeping computer" article cites it shows a notice sent to the government of Vermont on January 9th. 

 

So from December 1st or so to Jan 9th they maybe had a user here or there to verify their identity.   As far as a general notice and admission to being under attack it would be January 9th.  With the first news report, at bleeping computer on the 13th.   I only heard about it because of a youtube video made by a security focused channel. 

 

http://ago.vermont.gov/blog/2023/01/09/nortonlifelock-gen-digital-data-breach-notice-to-consumers/ 

 

 

I see. I feel like that notice could've been sent closer to the conclusion of the investigation, but otherwise I don't have much critique on their approach.

1 hour ago, Uttamattamakin said:

Again.  I am merely reporting what is being said in good faith.  Please don't accuse me of any bad faith as I have not done that to you or anyone else. 

 

"For Customers utilizing the Norton Password Manager feature, the notice warns that the attackers might have obtained details stored in the private vaults. " 

 

 

I'm sure you mean good faith, but the wording used just appears to jump the gun a bit.

2 hours ago, Uttamattamakin said:

The TLDR is if you use North Life lock it has been "compromised",  breached,  these are all synonyms for hacked.

But it was not. Customer accounts were compromised. The average person may use them all interchangeably, but there is an important difference between your account getting compromised because someone obtained your credentials, and the actual service itself being compromised. It's the difference between someone obtaining the key to your appartment because you left them unattended for a minute, for example, and robbing your place versus the appartment complex having a mole handing out keys left and right from the inside. The former doesn't meaningfully impact the security of the appartment complex while the latter means that not a single space in that entire building can be considered safe anymore.

[Uttamattamakin]

1 hour ago, tikker said:

But it was not. Customer accounts were compromised. The average person may use them all interchangeably, but there is an important difference between your account getting compromised because someone obtained your credentials, and the actual service itself being compromised. 

I see your point but that is a difference without distinction as to the action someone effected should take and the results of their inaction.  According to Norton they can't rule out that bad people have the information of their customers.  So take some simple protective action.   That is all  

 

1 hour ago, StDragon said:

I wouldn't do that if I were you. If a hacker gains access to the offline database, they could attempt brute-force hacking and might even be successful within months or hours depending on the complexity of the master password and the size of the GPU farm to throw compute resources at it.

Assuming the computer is not in their physical possession.   Like there is security and then there is ... the FBI agents have you and your computer in their facility already.  You know at that point does it really matter? 

 

1 hour ago, StDragon said:

This is what $15,000 can do
 

Those aren't what I would consider "weak" passwords. But yeah, with dictionary attacks, it's absolutely weak sauce. If you're going to make a PW, make it an entire sentence at the very least (with random case, number, and special character thrown in).

 

At least with online PW management, there's MFA used and tar pitting of incoming connections to prevent what otherwise would be a DOS attack in the futile attempt. Of course, it doesn't help that LastPass had their backups downloaded. I can only imagine it's a matter of time before the master PWs are cracked there too offline. 

I heard about that.  Passwords like 1234password1 aren't great.   Like 2/3 of the dept of interiors passwords were just that kind of thing. 

2 hours ago, Quackers101 said:

still wouldn't norton with the norton, can't trust mcAfee, oh wait. for some of the things norton has done and mcafee as good things, just wouldnt trust anything they are doing anyways. As seen with the crypto, trends, bad UI, and lack of user control. also when there are better options are out there.

Would be cool if LTT did on anti-virus tech, I guess they had one about "what one needs" or password managers? (maybe ad or sponsored video)

20 years ago give or take I'd have Norton on all the computers on the network in the house me and my roommates rented in college.  Came free with the cable internet service.   You know can't be too careful when not downloading episodes of Curb Your Enthusiasm, on LimeWire or Eminem's Stan on Napster.     Norton Utilities are still very useful but relying on a corporate package for security and anti virus is no longer needed or really effective.  

 

3 hours ago, wanderingfool2 said:

Just like reporting how One Drive was compromised was in good faith when everything pointed to it being a simple update, because a single user posted they were compromised.

  This is not that.  This is confirmed and you have the company itself saying that users vaults may have been compromised.  It just took them a month to own up to it.  The only way this could relate to that is an example showing that companies are in no sense obligated to instantly confess to being compromised/ hacked / etc.  PLUS I put in big letters it was an UNCONFIRMED report.  Within a MUCH BIGGER item about the service being down which it was.  

People just focused on the one little bit because that bit is interesting.   Besides that has it's own thread.  
 

[Mark Kaine]

11 hours ago, Lurick said:

Ah, the old "just host i yourself and open ports" approach to hosting a server with all your passwords. Because THAT'S super secure and simple for the AVERAGE end user.

i mean or the takeaway is that "password managers" simply were never a good idea?

 

The main problem,  that you need a gazillion accounts and usernames etc, is not solved by this, plus its obviously not a reliable way to tackle that issue... sure it seems so on the surface,  until it stops working or you lose your "master password"!

 

 

[Mark Kaine]

6 hours ago, Uttamattamakin said:

 showing that companies are in no sense obligated to instantly confess to being compromised/ hacked / etc.  PLUS I put in big letters it was an UNCONFIRMED report.  Within a MUCH BIGGER item about the service being down which it was.  

maybe they aren't (that will depend though obviously)  but they surely are responsible for the damages that happen due to them not informing customers in a timely manner?

[tikker]

7 hours ago, Uttamattamakin said:

I see your point but that is a difference without distinction as to the action someone effected should take and the results of their inaction.  According to Norton they can't rule out that bad people have the information of their customers.  So take some simple protective action.   That is all  

There is a distinction. One (LifeLock itself having been compromised) has far-reaching implications that LifeLock now basically can never be trusted anymore and that Norton may as well cancel it. The other means simply that login information was obtained and some customer information was retrieved that should arguably be considered public information anyway (not that it is acceptable, but your first and last name, and email address aren't exactly secret information). They can't rule out that bad actors have that information just like you or I can't rule out that nobody in the world has a copy of our LTT Forum credentials or that there hasn't been a silent breach nobody will know for another year, but at this point it comes down to whether you trust the investigation. They say they have identified and informed the affected customers.

1 hour ago, Mark Kaine said:

i mean or the takeaway is that "password managers" simply were never a good idea?

 

The main problem,  that you need a gazillion accounts and usernames etc, is not solved by this, plus its obviously not a reliable way to tackle that issue... sure it seems so on the surface,  until it stops working or you lose your "master password"!

 

 

It's a balancing act right. The dozens to hundreds of accounts you need nowadays, as you say, all requiring a password will lead to a ton of reused passwords. Having a password manager generate a long strong password for them and manage those for you will reduce that risk. At the same time it means outsourcing some trust to an external entity. Opposite to that again, why would we assume to know how to keep our passwords safe better than companies specialising in it? As said above, you are guaranteed to make simple mistakes when hosting your own stuff and managing our own passwords is unlikely to be more secure than a piece of paper in a drawer or a text file on our disk.