It was recently discovered that the direct to consumer identity theft service provider Lifelock had a vulnerability on its websites. The issue was reported by security blogger Brian Krebs at the end of July, and was called out by a former Lifelock customer and security researcher.
While the vulnerability was limited to potential exposure of users’ e-mail addresses, it could have been ugly had it been misappropriated by fraudsters looking to launch a directed phishing campaign on Lifelock customers. Fortunately, after learning about the vulnerability, Lifelock acted quickly to fix it.
But there is actually a lot to unpack here, and most of it has little to do with the actual vulnerability itself, though it is a good enough place to start.
See also: How to respond and recover quickly from a cyber event
What was the vulnerability all about?
The problem at Lifelock had to do with the ‘unsubscribe feature’ found in customer e-mails. Clicking the unsubscribe link in an…