LifeLock, the provider of online identity protection, took its website offline on Wednesday (July 25) after Brian Krebs, the security researcher, disclosed a design flaw that enables email addresses of subscribers to be harvested. In 2016, Symantec acquired LifeLock, which had 4.5 million customers as of the beginning of 2017.
Fortune reported that Krebs was alerted to the flaw by Nathan Reese, another researcher. According to the report, the subscription management page on LifeLock's website uses an easy sequential account number that, when modified, shows the email addresses of users matching the account. That would enable hackers to harvest emails and launch phishing campaigns pretending to be from LifeLock.
While there isn't evidence that it happened, Fortune noted that Reese was able to get 70 email addresses without being locked out. After Symantec was contacted by Krebs, the site was taken offline. When it did come back online, users were required to input a valid email address. It now no longer accepts only a user ID.
“This issue was not a vulnerability in the LifeLock member portal,” a Symantec spokesperson said in a statement provided to Fortune. “The issue has been fixed and was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe from marketing emails. Based on our investigation, aside from the 70 email address addresses reported by the researcher, we have no indication at this time of any further suspicious activity on the marketing opt-out page.”
In February of 2017, Symantec announced the closing of the $2.3 billion deal to buy LifeLock. At the time, the company said that more than one-third of Americans and more than 650 million people globally were victims of cybercrime in 2016 alone, making digital safety a top concern for consumers. In fact, it is an estimated $10 billion market.