Bad Intel And Zero Verification Leads To LifeLock Naming Wrong Company In Suspected Security Breach

from the more-'security-mediocre-practices'-from-the-biggest-name-in-ID-protectio dept

LifeLock has never been the brightest star in the identity fraud protection constellation. Its own CEO — with his mouth writing checks others would soon be cashing with his credentials — expressed his trust in LifeLock’s service by publishing his Social Security number, leading directly to 13 separate cases of (successful) identity theft.

Beyond that, LifeLock was barely a lock. It didn’t encrypt stored credentials and had a bad habit of ambulance-chasing reported security breaches in hopes of pressuring corporate victims into picking up a year’s worth of coverage for affected customers. This culminated in the FTC ordering it to pay a $12 million fine for its deceptive advertising, scare tactics, and inability to keep its customers’ ID info safe.

It’s LifeLock’s ambulance chasing that’s getting it into trouble again. Rather than verify the details of a recent breach, it began sending notices to customers informing them about possibly exposed info at entirely the wrong service.

Last week, LifeLock and several other identity theft protection firms erroneously alerted their customers to a breach at cloud storage giant — an incident that reportedly exposed some 73 million usernames and passwords. The only problem with that notification was that Dropbox didn’t have a breach; the data appears instead to have come from another breach revealed this week at social network Tumblr.

This isn’t completely LifeLock’s fault. It did send out a false alarm and finger the wrong platform, but its information came from a third party: CSID. Brian Krebs approached the identity monitoring firm to determine how it had arrived at the wrong conclusion. It appears it’s turtles misinformation all the way down. CSID president of product and marketing Bryan Hjelm confirmed his company was suffering some “reputational concerns” after wrongly naming Dropbox, rather than Tumblr, as the source of the breach. But he still felt his company was doing a bang-up job in the ID protection department, despite utilizing questionable sources.

He told me that CSID relies on a number of sources online who have been accurate, early indicators of breaches past. One such actor — a sort of cyber gadfly best known by his hacker alias “w0rm” — had proven correct in previous posts on Twitter about new data breaches, Hjelm said.

In this case, w0rm posted to Twitter a link to download a file containing what he claimed were 100M records stolen from Dropbox. Perhaps one early sign that something didn’t quite add up is that the download he linked to as the Dropbox user file actually only included 73 million usernames and passwords.

In any case, CSID analysts couldn’t determine one way or the other whether it actually was Dropbox’s data. Nonetheless, they sent it out as such anyway, based on little more than w0rm’s say-so.

The problem with this bogus alert is that every step of it was automated. CSID admits it never checked out w0rm’s claim by manually verifying the data dump contained what w0rm said it contained. It simply generated its alert, which was then picked up by others, like LifeLock, that rely on it for breach identification/notification. The automation continued as LifeLock sent auto-generated messages to its customers. The only manual part of this process occurred at the end user level when Dropbox customers began altering their login credentials to protect themselves from a nonexistent breach. Meanwhile, the real breach went ignored.

It’s often said that humans are the weakest link in the security chain, but this incident shows that a little human intervention would have gone a long way towards heading off bogus breach notifications that made an unaffected company look like it was hiding something from its users.

Filed Under:
Companies: dropbox, lifelock, tumblr

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Bad Intel And Zero Verification Leads To LifeLock Naming Wrong Company In Suspected Security Breach”

Subscribe: RSS Leave a comment
Someantimalwareguy says:

Re: Re:

As the article said – automation. Automation can only do so much before any results generated need to be reviewed by human eyes and then appropriate samples verified for accuracy.

This was just lazy corner cutting on the cheap and it (as it always does) bit them all in the rear-end…

ltlw0lf (profile) says:

Re: Re: Re:

It wasn’t just automation, it was that the source (w0rm) said it was a dump from dropbox, when in fact it was a dump from tumblr. They took the statement on face value without verification, and then automation took over.

It wouldn’t have taken them that long to verify the data…simply try to feed the email addresses into the “new user registration” form and if it allows the email to be used and continues the process, the email address hasn’t been used on the service. Get a bunch of these to work, and the dump isn’t likely to be real.

orbitalinsertion (profile) says:

Re: Re: Re:

Indeed, the original source indicated incorrectly (for some reason), and was then blindly followed. How or why w0rm mis-posted is a more interesting bit. Lifelock is a ball of crap no matter how you slice it, and their behavior is unsurprising, if still stupid. (And if you automate such serious errors out of a Twitter feed, idkwtflol.)

Anonymous Anonymous Coward (profile) says:

It is not like the idea of encrypting customer data is new

How hard is it to encrypt customer records? I mean, it is 2016 already. The Internet is over 20 years old. The rate of change is pretty fast, and getting faster. What is the hold up?

Is it super costly?

Is is easy to leave some kind of backdoor?

Is it ego, the CEO’s just believe they will never be on the list of hackers?

Is it something I haven’t thought of?

That One Guy (profile) says:

Re: It is not like the idea of encrypting customer data is new

It’s not so much it’s ‘super’ costly so much as it costs at all, and if those running the company are only focused on the short-term then the odds of being hacked are likely pretty low, making paying extra for encryption(both in time and money) a ‘waste’.

If you’re only looking at short-term costs, then encryption is going to be a waste the majority of the time, it’s only those that are willing to look more long-term, or accept that it only has to happen once to potentially trash your company that are able to realize that encryption, even if it’s never used, is still worth the extra cost.

Anonymous Anonymous Coward (profile) says:

Re: Re: It is not like the idea of encrypting customer data is new

The cost of shame and paying off lawsuits, or insurance that will pay off lawsuits is cheaper than paying for encryption? Or, so it seems in their minds? Which brings to mind, why aren’t insurance companies requiring encryption in order to give coverage?

The whole ‘only this quarters profits matter to our decisions’ has bothered me for a long while now. I don’t know what we can do about it, but I sometimes have wild dreams about laws that require investments be held for a year or more before they can be sold, and terminate all computer generated trading. That might slow some investment down. So what. But it will make CEO’s think longer term.

But those things will not happen lest Wall Street has some kind of conniption fit and wakes up with a conscience. Not holding my breath.

Nothing will happen from our corrupt Congress, and the SEC and FBI have proven, through their lack of action, that they will not hold anyone there responsible. And guess what, there is no one to hold THEM responsible for that lack of action. We are in trouble.

Anonymous Coward says:

Re: Re: It is not like the idea of encrypting customer data is new

Look at it this way, when bean counters are involved, logic goes out the window. Particularly if they are CA’s. One does tend to get a little more sense out of CPA’s, but you don’t put either in charge of anything. It will only cause you problems.

If they are given the power to make financial decisions, all you will see is money wasted because they “know” what has to happen to save a penny, but don’t seem to understand that spending money can save much more in the long term. They are too often focussed on the current financial year and the next financial year to recognise what is needed now to save money over the next 10, 20 or even 50 years.

Anonymous Coward says:

Re: It is not like the idea of encrypting customer data is new

Encrypting customer data IS hard and costly. I’m referring to things like email addresses, phone numbers, names, social security numbers and such.

1. The web server needs to encrypt and decrypt the data, so it needs the keys. Hack web server, copy keys and data and all that encryption was just a waste of time doing nothing to protect the data.
2. To solve problem #1 you use an HSM ( Hardware Security Module ) the HSM does the encryption/decryption for the web server. Hack web server, figure out how things work, utilize HSM to decrypt all the data and all that encryption was just a waste of time. All the HSM did was make it more difficult for the hacker because he must maintain unauthorized access to the HSM to decrypt data.
3. The whole point of collecting data is to do something with it. If it’s all stored encrypted it’s hard to do anything with it such as searching, reporting etc.

Some encryption efforts are easy
1. Store passwords as Cryptographic hashes (irreversible encryption)
2. Encrypted portable media like backups/laptops
3. Encrypting data stored on disk in case the hacker decides going all mission impossible breaking into your data center to steal your disk drives is easier than using the latest zero day exploit.

It’s easy to protect your password and data loss through physical access. Currently there is no unhackable way to protect data stored in networked systems unless you know someone capable of making a perfect system….

PaulT (profile) says:

Re: Re: It is not like the idea of encrypting customer data is new

“The web server needs to encrypt and decrypt the data, so it needs the keys. Hack web server, copy keys and data and all that encryption was just a waste of time doing nothing to protect the data.”

A door lock needs to secure the door in certain ways which means it needs the keys. Pick pocket, copy keys and all that lock is just a waste of time doing nothing to protect the home.

So, why bother with locks on your doors, right?

marcus (profile) says:

Re: Re: It is not like the idea of encrypting customer data is new

You can make the same arguments about a lock to your door since it would be so easy for someone to steal your keys or make a copy of your keys without your knowledge. A lot of companies don’t even encrypt backup media and have been the victim of theft exposing records of many customers on these unencrypted stored media. A lot of the removable media is stolen during transport to off sites.

nasch (profile) says:

Re: It is not like the idea of encrypting customer data is new

I was in a meeting this week with a major nation wide provider of real estate data, and they are just now working on hashing user passwords in their database. Someone said something about external pressure to beef up security (didn’t catch from where exactly) and that they really aren’t all that interested in doing it.

jordan Chandler (profile) says:


In 2015, it was ordered to pay $100 million to settle Federal Trade Commission contempt charges for failing to protect consumer information and deceptive advertising, the largest monetary award obtained by the Commission for an enforcement action

You’re an idiot if you use lifelock

marcus (profile) says:

Always wondered how safe identity theft protection sites are with information

After a breech last year, I was offered free identity theft protection for one year by CSID. I was weary of giving my information to them since others I have known told me how they had to give CSID their SSN and all kinds of other information in order to take advantage of the free service. Being the victim of one breech, I was concerned if CSID would protect my personal information so that I don’t become a victim of identity theft again. I remember one person even was protected from Lifelock but still was a victim of this breech and wasn’t eligible for the free 1 year protection from CSID since they already are signed up with Lifelock.

John85851 (profile) says:

Not surprising

It’s not surprising when companies use other companies as their source of data rather than verifying it themselves.
How many times has this happened in the news industry? Site #1 (such as The Onion) will publish a story and site #2 will take it as gospel and re-print it… even though The Onion is a known satirical site! Then site #3 will re-print site #2’s article using site #2 as the “verified source”, yet the original data is still bad.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...