How Symantec Resolved the Issue Involving the LifeLock Marketing Opt-Out Page
We would like to thank Brian Krebs at KrebsonSecurity for informing us yesterday (July 25) of an issue with a marketing opt-out page, and for allowing us to correct a misconfiguration before publishing his blog. The industry benefits greatly from quality researchers who follow responsible disclosure procedures.
Further, we would like to clarify a few points in the story:
- The issue was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe from marketing emails.
- The issue was not with our main member portal or any other pages on LifeLock.com besides the marketing opt-out page.
- The page was taken down briefly, a fix was put into place quickly, and opt-out service restored.
- Based on our investigation, aside from the approximately 70 email address accesses reported by the researcher, we have no indication at this time of any further suspicious activity on this marketing opt-out page, or that any LifeLock customer data was exposed.
- We employ countermeasures against phishing and spearfishing attempts against lifelock.com. Emails sent from lifelock.com are digitally signed, such that any email client or Internet Service Provider can verify whether or not an email claiming to be from lifelock.com is legitimate. These countermeasures enable email clients and ISPs to reject spoofed emails using the widely deployed DKIM and DMARC Internet standards.
Responsible stewardship of critical data is our central mission, and we take these matters very seriously.
Again, we thank Brian Krebs and invite you to contact us with any concerns you may still have.
Editor’s note: This content was updated on August 24, 2018, at 1 p.m.
Editorial note: Our articles provide educational information for you. Norton LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.