How LifeLock Exposed Your Email Address
A bug on the LifeLock website let you look up email addresses of any of its subscribers with a few trivial number substitutions.
UPDATED 4:30 p.m. Eastern Thursday with comment from LifeLock.
When a company specifically designed to prevent identity theft starts leaking your information, there's a moment of delicious irony — possibly followed by indignation. LifeLock, which is paid to keep its customers' personal data as safe as possible, had a bug on its website that let anyone see customer email addresses by just changing a couple of numbers in a web-browser address bar.
This news broke after independent security reporter Brian Krebs was contacted by a reader of his Krebs on Security blog. The reader, Nathan Reese, is a security researcher who was once a LifeLock customer. An email from the company told Reese he could get a discount if he reactivated his subscription, and Reese, wanting to get off the LifeLock mailing list, clicked through. It was then that he noticed the URL.
MORE: The Worst Data Breaches of All Time
Right in the hyperlink, plain as day, was a field called "subscriberkey" with a number right next to it -- Reese's own subscriber email ID.
Reese swapped in random numbers and refreshed the page, which confirmed his suspicions: By hitting the right number in the hyperlink, Reese could see another LifeLock user's email address in plain text, as well as manipulate that user's email subscription preferences. Reese told Krebs that he collected about 70 email addresses in this manner just to prove that he could.
On the surface, this may seem like a relatively minor breach of privacy. After all, the only information exposed is a user's email address, and it's not at all clear whether anyone other than Reese had discovered or exploited this flaw. There is no clear link between the numbers in the subscriber key and the characters in an user's email address, and being able to read the email address did not give the viewer access to a user's LifeLock account.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
But, as Krebs pointed out, "It would be trivial to write a simple script that pulls down the e-mail address of every LifeLock subscriber." (Notorious hacker Andrew Auernheimer, aka "Weev," spent more than a year in federal prison for doing just that in 2010 to an AT&T subscriber website that had an identical flaw.)
In other words: A savvy cybercriminal could have simply trawled the LifeLock subscriber page, increasing key numbers incrementally, until he or she had a database of everyone signed up to receive emails from the service. At that point, he or she could phish those people, a large number of whom would be actual LifeLock customers, with realistic facsimiles of the LifeLock login page, or spear-phish high-profile users for even more sensitive data.
"If I were a bad guy, I would definitely target your customers with a phishing attack, because I know two things about them," Reese told Krebs. "That they're a LifeLock customer and that I have those customers' email addresses. That's a pretty sharp spear for my spear-phishing right there."
There's not much for LifeLock users to do at this point, since the company has already addressed the flaw, taking down the entire website for several hours immediately after Krebs contacted the company and only putting it back up after the issue was fixed.
In a statement posted by Krebs, LifeLock and its owner, antivirus software maker Symantec, blamed the whole debacle on an unnamed third company that was handling the email-subscription page.
"Based on our investigation," the statement read, "aside from the 70 email address accesses reported by the researcher, we have no indication at this time of any further suspicious activity on the marketing opt-out page."
Still, it just goes to show you that not every identity-protection company can offer you complete privacy online. At the end of the day, there will always be a tradeoff between convenience and security; you can never have 100 percent of both.
UPDATE: A LifeLock spokeswoman contacted Tom's Guide to tell us that only the email-subscription page was taken offline, not the entire site. By the time we checked, the site was working properly, so we can't tell whether Krebs was accurate in saying the entire domain was taken down.
Best Overall
Get it. IdentityForce UltraSecure+Credit is the best overall service for both credit monitoring and identity protection. It also protects your account with two-factor authentication.
Best Data Monitoring
It's worth it. Get LifeLock Ultimate Plus if you're very worried about having your identity stolen and you also need antivirus software. But you can get better credit monitoring for less with IdentityForce UltraSecure+Credit.
Best Tools
Good, but not the best. Identity Guard isn't bad, but for about the same price, IdentityForce UltraSecure+Credit offers more comprehensive personal-data and credit-file monitoring.
Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi.