At a glance.
- Thousands of Norton LifeLock accounts compromised.
- Hacktivists spill Cellebrite data.
- ODIN Intelligence website defaced.
Credential-stuffing affects Norton LifeLock users.
Norton LifeLock customers have been notified that their Password Manager accounts were breached by hackers in what appears to be a credential stuffing attack. Bleeping Computer reports that parent company Gen Digital sent notification letters to thousands of LifeLock customers informing them that the hacks were the result of the breach of a third-party platform, not of Norton LifeLock directly. The letter reads, "Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account.”
As TechCrunch details, Gen Digital first became aware of suspicious activity on December 12, when an unusually large number of unsuccessful user login attempts were detected. The subsequent investigation revealed that the attacks had begun on December 1, and that many accounts had been successfully breached. Users’ first names, last names, phone numbers, and mailing addresses were compromised, and for users of Norton Password Manager, it’s possible the data stored in their private vaults were also accessed. Though the exact number of victims has not been disclosed, Gen Digital said it sent notices to over six thousand customers.
The incident is yet further evidence of the benefits of multifactor authentication, as the breaches would likely have been thwarted if the security measure had been in place. In addition to implementing extra safeguards, Gen Digital says it has changed the passwords of the compromised accounts, and recommends that all users who do not use multifactor authentication set it up as soon as possible. Computing notes that this is not the first time in recent years that a password manager has been targeted by hackers. LastPass suffered an impersonation attack in August 2022, and Passwordstate was hacked in 2021.
Benjamin Fabre, CEO at DataDome, sees the incident as proving the need for account protection tools.
“The Norton LifeLock breach underscores the need for account protection tools that can deal with sophisticated bots. Credential stuffing relies on the widespread problem of password reuse to gain access to online accounts. Because 81% of individuals reuse the same or similar passwords for multiple accounts, malicious threat actors with access to a list of leaked credentials have an easy time finding valid login and password combinations.
"And now, it’s easier than ever: hackers can get started with credential stuffing attacks by investing as little as $500 in credential stuffing (otherwise known as “account checking”) software, access to email and password combo lists, and the use of both public and private proxy services for obfuscation. Today’s automated credential cracking and credential stuffing tools are designed to check hundreds of thousands of credential combinations against multiple websites.”
Hacktivists spill Cellebrite data.
Security Affairs reports that 1.7 TB of data belonging to leading mobile forensics firm Cellebrite has been leaked by the Enlace Hacktivist collective. The company’s Universal Forensic Extraction Device (UFED), which is used police and intelligence agencies to access data on mobile devices, has been criticized by privacy advocates who say the tool could be abused to violate human rights, and some argue UFED has been used across the globe to spy on journalists, activists and dissidents. As a result, Cellebrite has been targeted by hacktivists and whistleblowers seeking to uncover the company’s misdeeds. In this incident, a whistleblower helped Enlace to obtain the Cellebrite data, as well as data belonging to Swedish forensics firm MSAB. The leaked data includes the entire Cellebrite suite, as well as a large database of files used for the localization of software and technical guides for customers.
ODIN Intelligence website defaced.
As we previously noted, it was discovered last week that a vulnerability in SweepWizard, an app developed by information management firm ODIN Intelligence to coordinate multi-agency police raids, had been leaking highly confidential law enforcement data to the open internet due to a misconfiguration error. ODIN founder and chief executive Erik McCauley largely dismissed the reports that SweepWizard was exposing police raid data. On Sunday, TechCrunch reports, ODIN Intelligence’s website was defaced in an apparent hack aided by non-profit transparency collective DDoSecrets. The attackers inscribed the site with a message spelling out the letters “ACAB,” an acronym for “All Cops Are Bastards.” Though it’s unclear who carried out the attack, their motivation appears to be McCauley’s dismissal of the reports of SweepWizard’s misconfiguration, as a message left behind by the hackers quoted McCauley’s denial and stated, “And so, we decided to hack them.” Whether the attackers stole data from ODIN’s systems remains to be seen. In their message on the ODIN site, the attackers said, “all data and backups have been shredded,” but DDoSecrets co-founder Emma Best says that data was exfiltrated from ODIN’s servers and that DDoSecrets is in possession of it. McCauley has not yet commented on the incident, but the ODIN website has been taken offline.
Ilia Kolochenko, Founder of ImmuniWeb and a member of Europol Data Protection Experts Network, described the most recent phase of the ODIN incident.
"Third-party vendors and suppliers are actually the Achilles' heel of law enforcement agencies. Per se, a website defacement is a low-risk security incident, mostly carrying out reputational consequences. In this case, however, there are various indicators that the website defacement may be just the tip of the iceberg of a major data breach. If confirmed, the alleged intrusion may be one of the most harmful data breaches of 2023 given the highly confidential and classified nature of the information that could have been compromised by the attackers.
"If law enforcement intelligence data ends up in hands of organized crime, it may lead to tragic consequences for police officers and undercover agents. This is not to mention that years of complex and resource-consuming police investigations may be wasted and criminals eventually go unpunished. I would, however, refrain from making conclusions before ODIN Intelligence comments on the scope and nature of the incident. All law enforcement agencies that the breach could have impacted should urgently audit what kind of their data could have been stolen to understand and respond to the broad spectrum of possible implications, as well as rapidly notify concerned third parties.”