How LifeLock Exposed Your Email Address

UPDATED 4:30 p.m. Eastern Thursday with comment from LifeLock.

When a company specifically designed to prevent identity theft starts leaking your information, there's a moment of delicious irony — possibly followed by indignation. LifeLock, which is paid to keep its customers' personal data as safe as possible, had a bug on its website that let anyone see customer email addresses by just changing a couple of numbers in a web-browser address bar.

Credit: LifeLock

(Image credit: LifeLock)

This news broke after independent security reporter Brian Krebs was contacted by a reader of his Krebs on Security blog. The reader, Nathan Reese, is a security researcher who was once a LifeLock customer. An email from the company told Reese he could get a discount if he reactivated his subscription, and Reese, wanting to get off the LifeLock mailing list, clicked through. It was then that he noticed the URL.

MORE: The Worst Data Breaches of All Time

Right in the hyperlink, plain as day, was a field called "subscriberkey" with a number right next to it -- Reese's own subscriber email ID.

Reese swapped in random numbers and refreshed the page, which confirmed his suspicions: By hitting the right number in the hyperlink, Reese could see another LifeLock user's email address in plain text, as well as manipulate that user's email subscription preferences. Reese told Krebs that he collected about 70 email addresses in this manner just to prove that he could.

On the surface, this may seem like a relatively minor breach of privacy. After all, the only information exposed is a user's email address, and it's not at all clear whether anyone other than Reese had discovered or exploited this flaw. There is no clear link between the numbers in the subscriber key and the characters in an user's email address, and being able to read the email address did not give the viewer access to a user's LifeLock account.

But, as Krebs pointed out, "It would be trivial to write a simple script that pulls down the e-mail address of every LifeLock subscriber." (Notorious hacker Andrew Auernheimer, aka "Weev," spent more than a year in federal prison for doing just that in 2010 to an AT&T subscriber website that had an identical flaw.)

In other words: A savvy cybercriminal could have simply trawled the LifeLock subscriber page, increasing key numbers incrementally, until he or she had a database of everyone signed up to receive emails from the service. At that point, he or she could phish those people, a large number of whom would be actual LifeLock customers, with realistic facsimiles of the LifeLock login page, or spear-phish high-profile users for even more sensitive data.

"If I were a bad guy, I would definitely target your customers with a phishing attack, because I know two things about them," Reese told Krebs. "That they're a LifeLock customer and that I have those customers' email addresses. That's a pretty sharp spear for my spear-phishing right there."

There's not much for LifeLock users to do at this point, since the company has already addressed the flaw, taking down the entire website for several hours immediately after Krebs contacted the company and only putting it back up after the issue was fixed.

In a statement posted by Krebs, LifeLock and its owner, antivirus software maker Symantec, blamed the whole debacle on an unnamed third company that was handling the email-subscription page.

"Based on our investigation," the statement read, "aside from the 70 email address accesses reported by the researcher, we have no indication at this time of any further suspicious activity on the marketing opt-out page."

Still, it just goes to show you that not every identity-protection company can offer you complete privacy online. At the end of the day, there will always be a tradeoff between convenience and security; you can never have 100 percent of both.

UPDATE: A LifeLock spokeswoman contacted Tom's Guide to tell us that only the email-subscription page was taken offline, not the entire site. By the time we checked, the site was working properly, so we can't tell whether Krebs was accurate in saying the entire domain was taken down.

TOPICS
Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi. 

Latest in Online Security
A person on a laptop converting a PDF to a DOC
FBI issues warning over free online file converters that infect your PC with malware
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
A woman using her laptop securely with a cup of coffee in hand
5 common mistakes people make when shopping for antivirus software
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
Victims of Identity Theft
FTC says Americans lost $12 billion to scams last year and these were the worst ones — here's how to stay safe
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Tuesday, March 18 (#646)
A person on a laptop converting a PDF to a DOC
FBI issues warning over free online file converters that infect your PC with malware
The Find my People feature
Android Find My can now track your friends and family — here's how to use it
Foldable iPhone concept image
Are you sitting down? Here’s what the foldable iPhone could cost
Samsung HW-Q990D soundbar
Samsung’s flagship 2024 soundbar just got bricked by a new firmware update — don’t update
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users