Every lock can be picked.
LifeLock, an identity protection service offered by Symantec, was recently "unlocked."
A website bug exposed millions of email addresses belonging to customers. Anyone on a web browser could change a number in the URL used to unsubscribe from LifeLock's emails, and it would enable them to collect the email addresses.
The news was initially published by Krebs on Security on June 25.
Exclusive: LifeLock just took its site offline to fix a bug that exposed millions of customer email addresses, data that could be very useful to scammers interested in conducting mass phishing expeditions. https://t.co/KaZerLUUER pic.twitter.com/QAgyiv3pAm— briankrebs (@briankrebs) July 25, 2018
"Of course, phishers could spam the entire world looking for LifeLock customers without the aid of this flaw, but nevertheless the design of the company’s site suggests that whoever put it together lacked a basic understanding of website authentication and security," wrote Krebs.
Symantec has since fixed the flaw.
Phishing is a major threat facing all organizations these days. Google recently required all employees to use physical security keys, so phishing can't occur, even if employees accidentally take the bait. The Defense Department is taking similar steps.
Individuals often rely on LifeLock, password managers and similar services to keep their accounts safe. It's telling that even those services are vulnerable.