Identity theft protection company LifeLock, a division of Symantec Corp., has exposed the email addresses of its customers in what could shape up to be one of the most ironic data exposure fails of all time.

The exposure occurred because of a flaw in the script LifeLock was using to allow customers to unsubscribe from its email lists. First described Wednesday by security researcher Brian Krebs, the vulnerability allowed anyone with a Web browser to index email addresses associated with millions of customer accounts, or to unsubscribe users from all communications from the company.

“The upshot of this weakness is that cybercriminals could harvest the data and use it in targeted phishing campaigns that spoof LifeLock’s brand,” Krebs wrote.

LifeLock has since fixed the issue and there is no word as to whether the data had been accessed for nefarious purposes, but the question comes down to one of trust: How do you trust a company that provides identity theft services that itself exposes data about its customers?

Mark Weiner, chief marketing officer of Balbix Inc., told SiliconANGLE that the exposed email addresses do make the victims easy targets for those engaged in spear-phishing, or sending emails from apparent acquaintances.

“Not having broad visibility into the breach risk across an enterprise’s entire attack surface continues to be an issue for most organizations, and attackers are waiting for opportunities like this to strike,” Weiner said. “When an enterprise is not thinking proactively, misconfigurations such as this are easily missed. LifeLock may also suffer some brand reputation damage due to the bug as well.”

Setu Kulkarni, vice president of product and corporate strategy at WhiteHat Security Inc., explained that “web applications have become the cornerstone of operations for modern enterprises because they are accessible at all times, from any location or device. However, they often contain sensitive customer data, which means that securing the data must be a priority.”

Kulkarni said it’s common to see enterprises inheriting risk from third parties. “In many cases, webpages are developed by non-IT teams without much governance, and data-flow architecture gets ignored, which can jeopardize personally identifiable information,” he said. “Largely by necessity, web applications are built and deployed by a wide range of coders, architects and administrators, who sometimes make mistakes.”

Fred Kneip, chief executive officer of CyberGRX Inc., noted that attacks on third-party systems have become the easiest way for hackers to access companies’ data.

“The vulnerability in the LifeLock breach came from a website bug introduced by a partner that helps manage their marketing communications,” Kneip said. “When your business is centered around protecting data, as LifeLock’s is, this sort of reputational hit can be catastrophic. Companies need to understand that that their third-parties’ security controls are constantly vulnerable to new exploits, which creates a need to monitor and mitigate these risks as they arise.”

Image: LifeLock