Bleeping Computer is reporting that Norton LifeLock’s Password Manager accounts has been pwned:
According to a letter sample shared with the Office of the Vermont Attorney General, the attacks did not result from a breach on the company but from account compromise on other platforms.
“Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account,” NortonLifeLock said.
This username and password combination may potentially also be known to others.”
More specifically, the notice explains that around December 1, 2022, an attacker used username and password pairs they bought from the dark web to attempt to log in to Norton customer accounts.
The firm detected “an unusually large volume” of failed login attempts on December 12, 2022, indicating credential stuffing attacks where threat actors try out credentials in bulk.
By December 22, 2022, the company had completed its internal investigation, which revealed that the credential stuffing attacks had successfully compromised an undisclosed number of customer accounts.
Norton has since reset passwords on impacted accounts, introduced additional measures to fend off attacks, and advises customers to enable two-factor authentication on their accounts. It also offers the use of a credit monitoring service. But if you want my opinion, given this and the LastPass gong show, using an online password manager now seems to be a really bad idea. And if you’re a user of one of these services, you might want to reconsider that decision.