LifeLock, a firm that offers an identity protection service, has exposed millions of email addresses to possible phishing attacks, according to Krebs on Security.
The company had a vulnerability on its site that would have allowed bad actors to index email addresses and unsubscribe individuals, Krebs writes.
The firm has fixed the problem. But the issue suggests that “whoever put it together lacked a basic understanding of web site authentication and security,” Krebs writes.
Krebs says it was informed of the issue by Nathan Reese, a freelance security researcher and former LifeLock subscriber.
Symantec, which bought LifeLock in 2016 for $2.3 billion, responded to Krebs by saying that the “issue has been fixed and was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe from marketing emails.”
It also said that there was no “vulnerability in the LifeLock portal,” and that there was no suspicious activity.