LifeLock, the identity theft protection company, has put millions of customer emails at risk for phishing and identity theft attacks, thanks to a bug on its website.
The bug enabled customer email addresses to be harvested by simply changing one number in the URL of a web page used by customers to unsubscribe from LifeLock communications.
It’s important to note that this is not a breach, but it is a vulnerability to pay attention to since ID thieves can use email addresses to steal other personal info.
Responsible stewardship of critical data is our central mission, and we take these matters very seriously. The issue was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe from marketing emails. The issue was not with our main member portal or any other pages on LifeLock.com besides the marketing opt-out page.
Here is what you should do:
- Do not click on any suspicious-looking links in those messages and instead forward any suspicious email to the company itself. Call the company directly to confirm whether any such messaging is actually from them.
- Do not enter any personal info or credentials via links in emails. If you need to make updates, go directly to the company’s website to do so.
LifeLock monitors identity-related events, such as new account openings and credit-related applications. The company offers a $1 Million Service Guarantee.
In late 2016, Symantec bought Lifelock for $2.3 billion. Shares of Symantec were up 0.4% at $20.77 on Thursday.