We would like to thank Brian Krebs at KrebsonSecurity for informing us yesterday (July 25) of an issue with a marketing opt-out page, and for allowing us to correct a misconfiguration before publishing his blog. The industry benefits greatly from quality researchers who follow responsible disclosure procedures.
Further, we would like to clarify a few points in the story:
- The issue was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe from marketing emails.
- The issue was not with our main member portal or any other pages on LifeLock.com besides the marketing opt-out page.
- The page was taken down briefly, a fix was put into place quickly, and opt-out service restored.
- Based on our investigation, aside from the approximately 70 email address accesses reported by the researcher, we have no indication at this time of any further suspicious activity on this marketing opt-out page, or that any LifeLock customer data was exposed.
- We employ countermeasures against phishing and spearfishing attempts against lifelock.com. Emails sent from lifelock.com are digitally signed, such that any email client or Internet Service Provider can verify whether or not an email claiming to be from lifelock.com is legitimate. These countermeasures enable email clients and ISPs to reject spoofed emails using the widely deployed DKIM and DMARC Internet standards.
- Our investigation is ongoing.
Responsible stewardship of critical data is our central mission, and we take these matters very seriously.
Again, we thank Brian Krebs and invite you to contact us with any concerns you may still have.
Editor’s note: This content was updated on July 26, 2018, at 2:05 p.m.