LifeLock Security Bug Puts Millions of Customer Emails at Risk

LifeLock Security Bug Puts Millions of Customer Emails at Risk article image.

LifeLock customers may be at risk for phishing attacks, thanks to a bug on one of the firm's marketing pages that could have exposed customers' emails.

Symantec, LifeLock's parent company, says it fixed the issue and found no indication customer email addresses have been harvested. Still, the company's investigation is ongoing and it's smart to be vigilant if you're a LifeLock customer or former customer.

Here's What You Need to Know

The LifeLock bug potentially enabled fraudsters to harvest email addresses by simply changing one number in the address of a web page used by customers to unsubscribe from LifeLock communications. The number represents a specific customer and altering it revealed that customer's email address.

With this type of vulnerability, hackers can potentially gather email addresses and use them to send messages designed to look like they are coming from a legitimate company. This is a practice known as spear phishing.

Be skeptical of any email communications that contain links, especially ones urging you to take immediate action.

Watch Out For Phishing and Malware Attacks

Scammers often embed hyperlinks into an email that take you to a fake site where they collect your information or load malware onto your computer.

Before clicking on a suspicious link, hover your mouse over it to see what the actual URL looks like. Look for warning signs, such as if the URL doesn't begin with "https" or the URL goes somewhere other than where the hyperlinked text says it will go.

Whatever you do, do not enter any personal information or credentials via links in emails. Instead, forward any suspicious email to the company itself. You can also call the company directly to confirm whether any such messaging is legitimate.

Here are some additional guidelines for detecting and avoiding spear phishing scams:

1. Check the URL of Any Website Requesting Personal Information

Pull up the organization's real website and compare the text that appears before the first "slash" (/) in its address.

Look for slight anomalies such as .co instead of .com, "typos" or extra "dots" in the main name, etc. Also make sure the address begins with https://; the "s" indicates it's encrypting your data.

2. Proof for Spelling

Multiple typos or spelling errors could be a sign the email does not come from a legitimate source.

3. Confirm That the Email or Web Address Is Correct

Scammers may mimic websites from known companies in order to fool you by changing a letter or word so it closely resembles a legitimate address.

4. Look for Attachments

It's unusual for a legitimate financial institution or company to send account information as an attachment; be wary of any email you receive that says a statement or bill is attached. Opening a suspect attachment could allow malicious software to download onto your computer or smartphone.

Protect Your Identity

If you're worried about your personally identifiable information being out there, you can access your free Experian credit report and run a free dark web scan to find out if information like your Social Security number, phone number, or email addresses are on the dark web.

If you suspect you are a victim of identity theft, you might want to file a free initial security alert that remains active on your account for 90 days at the Experian fraud center. (You only need to file it with one credit bureau—they are legally required to share such alerts with their counterparts, so you don't need to file with all three.) This fraud alert will notify any lenders pulling your credit report to take extra steps to verify your identity—a measure that can frustrate and dissuade identity thieves.

However, fraud alerts do not completely block access to your credit reports. For the highest level of protection, you might consider freezing your credit reports, a measure that prevents lenders from issuing new credit in your name altogether.