December was a busy month for hackers as we are now learning of another credential-stuffing attack that impacted thousands of users of Norton's password manager.
The breach began around Dec. 1 but was identified by Norton on Dec. 12, it exposed users' personal data including names, phones numbers, and mailing addresses along with full access to their password manager vaults. The latter would of course include passwords and potentially other secure data like credit card details or other financial data (via CNET).
What is a credential-stuffing attack?
This latest credential-stuffing attack comes on the heels of a similar breach affecting 35,000 PayPal users. The key to these attacks is that they aren't a breach of the data security for the impacted sites, credential-stuffing attacks are simply hackers using the username and password combinations from previous data leaks on a variety of sites to try to gain access to other services.
How can you avoid being a victim of a credential-stuffing attack?
While the breach is ironically of a password manager in this case, credential-stuffing attacks highlight how important a good password manager is on the modern web to keep your data safe. The key is that you need to make sure that above all else your password manager has a unique and secure password that you aren't using on any other services.
Relying on a password manager to both generate and store your passwords may seem like a hassle, but it's far less trouble than having hackers gain access to your personal data or accounts with access to your financial accounts or data. A password manager will also limit your exposure in the event of a service you use being breached via other means as you will only be faced with changing a single password rather than potentially dozens using the same password.
If you really want to be secure, using two-factor authentication (2FA) adds another layer of protection that will stop hackers in their tracks. When done right 2FA involves something you have as well as something you know, which would preclude a credential-stuffing breach from impacting you.
What to do if you are a Norton password manager user
If your account was impacted you should have already received an email from Norton. Your first step should be to change your password for Norton and then you'll need to take the time to change any of the passwords that you had saved in that vault.
Norton is offering free credit monitoring services for users impacted by the breach, so you should accept that offer so that you will be alerted in the event that hackers did obtain your data and are trying to use your identity for any nefarious purposes.
