The flaw exists in the refer-a-friend portal on the site. The portal is exposed enough that all 300k+ users of LifeLock are open to the attack. Imagine going to a site that is supposed to protect you identity only to have your session hijacked and/or ransomeware dumped on your system. What is a little odd is that the flaw was there at all. Cross-Site scripting attacks are common and an identity protection site should have been able to notice this bug in the website.
The good news is that LifeLock patched the vulnerability within a few hours of it being disclosed. This is actually much faster than many other companies out there that take months to remediate security issues that are found by researchers.