It’s a tale almost as old as time — a cybersecurity expert uncovers a flaw in a program, website or service that leaves thousands or millions of people’s personal information exposed for any criminal to find. Most people can agree that no security flaws found in systems that store consumer information are good, but when the issue happens to a company that makes its mission to protect that information, it’s even more concerning. Today, we’re digging into a recently discovered data leak on a page owned by identity theft protection service LifeLock, what this means for its customers and whether these kinds of services are worth putting your trust into in the first place.

Security researcher stumbles upon LifeLock leak

According to a story broken by Krebs on Security, a vulnerability within LifeLock’s unsubscribe page potentially left the email addresses associated with millions of user accounts exposed (approximately 4.5 million, based on 2017 LifeLock membership data). Discovered by a freelance security researcher named Nathan Reese when he clicked an unsubscribe link in an email from LifeLock, this vulnerability entailed a numeric “subscriber key” within the URL on that page. Reese determined the subscriber key was assigned to each users, and that the numbers appeared to be sequential. Krebs explained that, based on this, a simple script would be enough to pull the emails of every LifeLock account — something Reese tested himself, which netted him 70 emails before he put a stop to his script and notified LifeLock of the flaw.

Someone with malicious purposes could use these emails for a variety of cybercrimes, including phishing campaigns. As Reese said in his email to LifeLock, the knowledge that users associated with these emails had purchased identity theft protection services at one time provided him (or any cybercriminal in possession of this data) with a “pretty sharp spear” for the kind of targeted phishing campaigns known as spear phishing. In other words, a criminal could send fake emails to subscribers purporting to be from LifeLock, perhaps warning them about a problem with their credit reports or offering an enticing deal to resubscribe — all for the purpose of tricking them into giving up sensitive information.

After Brian Krebs contacted LifeLock’s parent company, Symantec, about this issue, the unsubscribe page was taken offline and the vulnerability was fixed. For its part, LifeLock released a statement that the vulnerability was solely based within a marketing page managed by a third party to allow email recipients to unsubscribe, and that it was not present on any LifeLock member portal page. Critics, however, remain skeptical to what this type of flaw could mean for other potential security issues within LifeLock’s site.

What leaks like this one mean for consumers

Unfortunately, leaks like this are not uncommon. These types of flaws and vulnerabilities are discovered all the time, as evidenced by stories we’ve covered in just the past year — such as Panera bread. As we recently noted, there’s a difference between a security leak and a security breach, as the latter involves someone actively stealing and/or exploiting data via a discovered vulnerability or purposeful attack. LifeLock users, therefore, don’t have anything concrete to worry about, as there isn’t any evidence (published by LifeLock or otherwise) that anyone actually accessed their email addresses. That said, it is certainly prudent for people to be on alert for potential phishing emails, since those are a bane of every email inbox owner’s existence.

The biggest concern that stories like this bring up is the question of how secure services like this truly are. We’ve long touted identity theft protection services as a great resource for people who want to protect their information, keep track of their credit reports and have professionals on their side in the event they run into identity theft. However, as we saw with last year’s Equifax breach, sometimes the entities entrusted with our most sensitive personal information don’t treat it with the care and security it deserves. LifeLock has been in hot water in the recent past, and some similar services — such as TrustedID, the service used by Equifax to provide credit monitoring and identity theft protection post-breach — have also been caught red-handed sleeping on the job.

Are identity theft protection services worth it?

The true value of these types of services for most people is the ability to closely monitor their credit reports and receive alerts when something changes, as well as the benefit of having a caseworker on their side after they’ve experienced fraud to help walk them through the necessary steps that need to be taken to restore their good name. However, as consumers have grown more savvy about credit and identity theft thanks to the publicity brought to these issues by so many high-profile data breaches, one could argue that these types of services aren’t worth the risk of handing over your personal data to be stored in a single database by a company that charges you a monthly fee for the privilege.

Thanks to tools like the FTC’s identity theft assistant for reporting instances of fraud, AnnualCreditReport.com (which allows you to view your credit reports for free once every 12 months), and credit freezes that lock down your credit reports so new accounts can’t be opened in your name, today the average consumer can take care of most identity theft protection issues themselves. We also have to face the fact that, by this point, most Americans have been compromised by at least one major data breach in the past five years or less. That kind of large-scale compromise has changed the landscape of identity theft, making it less about protection and prevention and more about mitigation after the fact. If you are willing to do the work to monitor your credit and various accounts, such as health insurance and your bank account, yourself for signs of fraud, then you’re already a few steps ahead. While you can’t monitor your activity on the Internet black market like identity theft protection services do, you can keep an eye on your public records and watch for suspicious mail.

To get ahead and stay there, follow our identity theft protection blog for all the tips and information you need to know to protect yourself in today’s ever-changing threat landscape.