Norton LifeLock parent company Gen Digital says that hackers likely used a credential stuffing attack to compromise customers’ password managers. The breach began as early as December 1, 2022, although Gen Digital did not detect the issue until they became aware of a large volume of failed login attempts around December 12. The company has sent notifications to roughly 6,500 individuals whose accounts were compromised.
Note
- Per previous comments in Newsbites, it is obvious that attackers have targeted password manager software – not surprising since all those tasty eggs are in one tempting basket. LastPass, Okta, now Norton Password Manager. If you are using or considering other password managers, get assurances they are going back and making sure they have not been compromised.
- Protecting online access to a password manager with a simple username and password is negligent. After all, the main selling point of a password manager is that users will not be able to remember complex passwords.
- The cliché “only as good as your weakest link” comes to mind. As hard as we’ve worked to encourage the selection of strong credentials, leveraging a password manager to keep it all straight, we still have a human behavior challenge. The challenge is to train users on not only using good pass-phrases, or MFA if available, to protect your password manager, but also keep an eye out for breach notifications and update affected passwords.
Read more in
