Data breach notifications are being sent out to customers of Gen Digital (formerly Symantec Corp. And NortonLifeLock) after their Norton Password Manager accounts were breached. Hackers successfully were able to access the accounts through credential-stuffing attacks on the platform.
Credential stuffing is when hackers use bots to take stolen usernames and passwords and try them against thousands of other websites in hopes to gain access to more victim accounts. This is why it’s exceptionally critical to use strong and unique passwords for every single online account.
The Office of the Vermont Attorney General states that the accounts were able to be compromised through an account on an alternative platform rather than the company directly. The notice goes on to reveal that the data was purchased on the Dark Web around Dec 1st 2022.
Gen Digital noticed an “unusually large volume” of failed login attempts on Dec 12th and investigated the issue. By Dec 22nd the company confirmed in their investigation that the attack had been successful.
While Norton has already reset passwords on impacted accounts and urged customers to install multifactor authentication, they stress that personal vaults may be compromised. This means that customers may have their private data for other online accounts revealed to hackers and stolen during the attack.
They are offering credit monitoring services to those affected.
This breach comes in the wake of LastPass’s cyber attack and breach. Read our previous blog about it here: It’s time to leave LastPass after Cyber Attack Severity Downplayed; Class Action Lawsuit Filed | Motiva Networks Blog