Norton Password Manager hacked, warning users about breaches

An example authentication page

The notifications to customers of NortonLifeLock advise that hackers are successfully gaining access to Norton Password Manager accounts. However, it is claimed that the attacks were not caused by weak security in the Norton Password Manager systems, but instead via a third-party platform.

"Our own systems were not compromised. However, we strongly believe that an unauthorized third-party knows and has utilized your username and password for your account," the firm said in notices to customers, according to a letter sample shared with the Office of the Vermont Attorney General seen by BleepingComputer.

Specifically, the breach is known as a credential-stuffing attack, where an attacker acquires data from other sources, such as account compromises on other platforms, to try and gain access to the intended target.

In this instance, Norton saw detected an "unusually large volume" of failed login attempts on December 12, which usually indicates attempts at credential stuffing attacks. An internal investigation that ran until December 22 discovered that the attacks started from December 1, and that a number of accounts were successfully compromised.

While the number of affected accounts were not revealed, a statement from NortonLifeLock parent company Gen Digital revealed that approximately 925,000 inactive and active accounts could've been targeted in the attack.

Customers are warned in the notification that attackers may have obtained details stored in private vaults, which could lead to further compromises. Attackers may also have seen the account's first name, last name, phone number, and mailing address.

Norton has since reset passwords on impacted accounts, introduced additional measures to fend off attacks, and advises customers to enable two-factor authentication on their accounts. It also offers the use of a credit monitoring service.

The NortonLifeLock attack is the latest to be publicly known involving password locker services.

In December, LastPass confirmed that an August data breach involved names, addresses, and encrypted password data vaults. By late December, it was claimed that the vaults were potentially crackable for just $100.