Slashdot Mirror
Social Search Reveals 700 Comcast Customer Logins
nandemoari writes "When educational technology specialist Kevin Andreyo recently read a report on people search engines, he decided to conduct a little 'people search' on himself.
Andreyo did not expect to find much — so, imagine the surprise when he uncovered the user name and password to his Comcast Internet account, put out there for the entire online world to see.
In addition to his personal information, Andreyo also discovered a list that exposed the user names and passwords of (what he believed) to be 8,000 other Comcast customers. Andreyo immediately contacted both Comcast and the FBI, hoping to find the ones responsible for divulging such personal information to the public.
While the list is no longer available online, analysts fear that the document still lives on in various cache and online history services."
I wonder if that includes both home and business accounts. I'm sure you can Wayback the archive provided you have an original link or precise search terms, but this apparently affects quite a few people although the summary doesn't mention what exactly the revealed username/passwords are to.
...In a nutshell: This is pretty bad, but how deep does it go and can Comcast be held responsible in any way?
If I had to take a guess, I'd say email or online customer accounts (although I don't recall having one during my painful time with Comcast), which either opens up either a financial or spam-exploitable security issue, not sure which.
I'm more interested in the site that did this and the legality of them doing it. There is zero reason why a site needs your password to your e-mail account.
All the ISP's do that and as I have told my friends and family repeatedly over the years, DON'T under any circumstances let the installer near your PC with that thing, it's not needed and can only lead to problems.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Have a really, really common name.
Presumably he called just to ask about the question he had about his account, instead of telling them about the hacking.
And you believe them about safely handling your password and never storing or selling it for other uses, why?
I think a lot of people would see it as "impolite" or worse. I would want disclosure, but the technologically illiterate would see it as a violation. Still, they are better off knowing.
I won't be writing that script. :0)
Security questions are not too bad. The worst things are things like one of my banks which insists on asking me my date of birth and mother's maiden name when I log in. Both of these are public-domain information and can be accessed in a searchable form for a very small fee (or free if you bother collecting them all yourself from the various registries), but they seem to be under the impression that it adds some security.
I am TheRaven on Soylent News
They recommend setting the maximum password age to 42 days too. And the default is to remember the last 24 passwords and stop people reusing them.
And that's when PostIts start to appear because people are fed up with remembering a new variant of "89fZ#9I$" every month.
So you've substituted one security problem for another.
Password expiration isn't all that it's cracked up to be.
May contain traces of nut.
Made from the freshest electrons.
I work at a software company. In security.
The software engineering team is absolutely certain they don't want corporate IT security anywhere near their precious development process. We would just slow things down. So they all put "security expert" on their resumes and said they don't need us, they know what they're doing, etc..
Yeah, every app they use has totally botch authentication--plaintext password storage, unsalted hashes--you name the security mistake, these "expert" developers ship it in our top-dollar "enterprise" software.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.