Image of an unlocked padlock on an iPhone screen in front of chain link fence

Norton Password Manager users need to take action to protect their passwords after the credential-stuffing attack.
Angela Lang/CNET

Thousands of people who use Norton password manager began receiving emailed notices this month alerting them that an unauthorized party may have gained access to their personal information along with the passwords they have stored in their vaults. 

Gen Digital, Norton’s parent company, said the security incident was the result of a credential-stuffing attack rather than an actual breach of the company’s internal systems. Gen’s portfolio of cybersecurity services has a combined user base of 500 million users — of which about 925,000 active and inactive users, including approximately 8,000 password manager users may have been targeted in the attack, a Gen spokesperson told CNET via email. 

In a credential-stuffing attack, an attacker uses a list of stolen username and password combinations to deploy an automated process that attempts to access other online accounts using the same login credentials. The success of such an attack relies on people’s tendency to reuse passwords across multiple online accounts. If your Norton account was compromised in the attack and you use the same password for your password manager vault, then you’re especially at risk of having your vault data compromised by an unauthorized party. 

If attackers are successful in gaining access to your vault, they’ll have access to the usernames and passwords for all the online accounts you have stored in your password manager. You could get locked out of all your accounts, and depending on the account logins you have stored in your vault, extremely sensitive personal information may be exposed to people who shouldn’t have access to it. Attackers would also have access to any credit card details or secure notes saved in your vault.  

Norton’s intrusion detection systems detected an unusual number of failed login attempts on Dec. 12, 2022, the company said in its notice. On further investigation, around Dec. 22, Norton was able to determine that the attack began around Dec. 1. 

“Norton promptly notified both regulators and customers as soon as the team was able to confirm that data was accessed in the attack,” Gen’s spokesperson said.

Personal data that may have been compromised includes Norton users’ full names, phone numbers and mailing addresses. Norton also said it “cannot rule out” that password manager vault data including users’ usernames and passwords were compromised in the attack.  

“Systems have not been compromised, and they are safe and operational, but as is all too commonplace in today’s world, bad actors may take credentials found elsewhere, like the Dark Web, and create automated attacks to gain access to other unrelated accounts,” the Gen spokesperson told CNET. “We have been monitoring closely, flagging accounts with suspicious login attempts and proactively requiring those customers to reset their passwords upon login along with additional security measures to protect our customers.”

If you’ve received Norton’s notification, then you’ll need to immediately change your Norton account password as well as your Norton Password Manager password. Then you should change the passwords to every single one of your other online accounts, making sure to create a unique, strong password for each one. Start with the most important accounts first, like anything related to finances, work or health. Then move on to others, like email accounts and social media accounts, before continuing with your potentially less-critical online accounts. Make sure also to enable two-factor authentication on any account that offers it — including your Norton account — to give yourself an added layer of protection.

But what about Norton users who haven’t been notified that they’ve been targeted? Note that the number of affected users Norton now identifies has already grown from the about 6,450 that Techcrunch cited in its earlier reporting on the attack, and the figure may well expand further. To be as safe as possible, the same routine applies, unfortunately. At the very least, immediately change your main Norton passwords. But the safest thing to do is to change underlying passwords and flip on two-factor authentication. 

Norton is also offering access to credit monitoring services for affected users, according to its letter to customers. It’s a good idea to enroll in those services to ensure you’re alerted to any suspicious activity being conducted in your name. Additionally, you’ll want to be on the lookout for social engineering tactics like phishing scams that attempt to trick you into divulging your passwords and personal information.      

You might also consider trying a different password manager. CNET’s list of the best password managers highlights a few alternatives to Norton’s. 

Though the credential-stuffing attack targeting Norton customers wasn’t quite as egregious as the most recent LastPass breach, the bottom line is that Norton users’ personal information and passwords have potentially been in the hands of a threat actor since the beginning of December. 

Ultimately, the attack helps underscore that password managers are naturally attractive targets for attackers, and why it’s important to choose a good password manager and take extra precautions to protect your login credentials.  

Leave a Reply

Your email address will not be published. Required fields are marked *