• by Ray Schultz , July 30, 2018

LifeLock, the identity protection service, has corrected the flaw that could have exposed millions of email addresses to phishing attacks. But competitors are watching closely. 

One is IDShield, which has 850,000 users compared to LifeLock’s reported 4 million. IDShield noticed a bump in website traffic last Thursday and Friday, following a report on the incident by Krebs on Security, according to Scott Grissom, VP of product leadership marketing and sale for IDShield.

However, it is not clear whether this uptick continued over the weekend, or whether it resulted in conversions, Grissom adds.

Grissom acknowledges that there was “no actual stealing of data,” at LifeLock, but his firm has provided a link from the Krebs article to its thousands of independent associates who sell the IDShield product.

He claims that IDShield uses encryption and security tokens, and that it takes such protections with third-party marketers.

According to Krebs, LifeLock had a vulnerability on its site that could have allowed bad actors to index email addresses and unsubscribe individuals.   

Krebs says it was informed of the issue by Nathan Reese, a freelance security researcher and former LifeLock subscriber.

Reese received an email offering him a renewal discount.

Krebs writes: “Clicking the ‘unsubscribe’ link at the bottom of the email brought up a page showing his subscriber key. From there, Reese said, he wrote a proof-of-concept script that began sequencing numbers and pulling down email addresses.”

Reese stopped after 70 emails because “he didn’t want to set off alarm bells at LifeLock,” Krebs continues.

He concludes that “whoever put it together lacked a basic understanding of web site authentication and security.”

LifeLock issued this statement: “This issue was not a vulnerability in the LifeLock member portal. The issue has been fixed and was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe fro marketing emails.”

The company adds: “Based on our investigation, aside from the 70 email addresses accesses reported by the researcher, we have no indication at this time of any further suspicious activity on the marketing opt-out page.”