Why was Norton's notification for dark web 10 months after the hack occured?

Archive
1

I was notified on 12/21/23 of a dark web appearance of my private information breached at eye4fraud.  The breach was made public in Feb. 2023.  Why did this notification take so long?

2

Do you have an account with Eye4Fraud?
Did Eye4Fraud notify you of the breach?  

Eye4Fraud

In February 2023, data alleged to have been taken from the fraud protection service Eye4Fraud was listed for sale on a popular hacking forum. Spanning tens of millions of rows with 16M unique email addresses, the data was spread across 147 tables totalling 65GB and included both direct users of the service and what appears to be individuals who'd placed orders on other services that implemented Eye4Fraud to protect their sales. The data included names and bcrypt password hashes for users, and names, phone numbers, physical addresses and partial credit card data (card type and last 4 digits) for orders placed using the service. Eye4Fraud did not respond to multiple attempts to report the incident.

Breach date: 25 January 2023
Date added to HIBP: 6 March 2023
Compromised accounts: 16,000,591
Compromised data: Email addresses, IP addresses, Names, Partial credit card data, Passwords, Phone numbers, Physical addresses

https://haveibeenpwned.com/PwnedWebsites#Eye4Fraud 

Eye4Fraud data Breach
March 10
Got notification that my personal data was compromised in the Eye4Fraud Breach. It also says my passwords have been compromised. I am not a customer of Eye4Fraud and don't have an account with them. I had never heard of Eye4Fraud. What should I be concerned about and what precautions should I take? I have no clue which of my passwords have been compromised. Any advice?
Thanks very much!

March 11
Eye4Fraud is a service for shops ("ecommerce merchants"). It is used by some shop you visited. When you bought something, the shop gave your data to eye4fraud to check the transaction for possible fraud. As long as the shop or Eye4Fraud don't contact you to notify you of the breach, you will probably not learn which shop it was.

This is a worst case scenario for shop users. They cannot control which fraud protection some shop site uses, and they cannot assess how trustworthy that fraud protection service is to get the choice of not buying at that shop.

It's not your fault the data was compromised, it's not the shop's fault the data was compromised. The shop did a bad job by choosing a not trustworthy fraud protection service. I don't know that kind of service, but for me it's strange that (hashed) passwords are handed over to a fraud protection service. That's a so sensitive data that must not leave the shop. Giving this to a 3rd party undermines the trust in every web service.

What you can probably do:
Either nothing (you don't know which shop it was).
Or identify which of your logins belongs to some website where you conducted some financial transaction. Not your bank, because a bank would use a much better and bigger service, but all sites where you bought something. Then change the passwords for all of these.

https://1password.community/discussion/138676/eye4fraud-data-breach 

3

The breach may have been in Feb of 2023 but the information may take awhile before it is posted on the dark web by the bad actors.