We just finished a really interesting read at Krebs on Security about LifeLock ID theft protection, which is now owned by Symantec.
A security researcher tells Brian Krebs he found visual clues that revealed he could probably pull the email of any LifeLock subscriber from the company's website. He tested out his theory and it worked.
Adam Levin, a longtime consumer advocate and founder of CyberScout, has quite a bit to say about this cyber incident.
"The LifeLock situation demonstrates that even if you are owned by one of the world’s largest anti-virus services, a simple website misconfiguration error can provide, if not the keys to the kingdom, at least some big, wide open windows. While any criminal enterprise could (and probably does) send out LifeLock phishing emails, this ability to cull an actual customer email list from their site is particularly meaningful because this is a group of customers that are already worried about fraud and have invested in a product to try to protect themselves that has ultimately failed to do so."
We'll let Krebs take it from here. This is one cybersecurity mistake you want your web team to avoid:
"The upshot of this weakness is that cyber criminals could harvest the data and use it in targeted phishing campaigns that spoof LifeLock’s brand. Of course, phishers could spam the entire world looking for LifeLock customers without the aid of this flaw, but nevertheless the design of the company’s site suggests that whoever put it together lacked a basic understanding of Web site authentication and security."