Social Search Reveals 700 Comcast Customer Logins

← Back to Stories (view on slashdot.org)

Social Search Reveals 700 Comcast Customer Logins

Posted by samzenpus on Wednesday March 18, 2009 @01:56PM from the easiest-password-to-remember dept.

nandemoari writes "When educational technology specialist Kevin Andreyo recently read a report on people search engines, he decided to conduct a little 'people search' on himself. Andreyo did not expect to find much — so, imagine the surprise when he uncovered the user name and password to his Comcast Internet account, put out there for the entire online world to see. In addition to his personal information, Andreyo also discovered a list that exposed the user names and passwords of (what he believed) to be 8,000 other Comcast customers. Andreyo immediately contacted both Comcast and the FBI, hoping to find the ones responsible for divulging such personal information to the public. While the list is no longer available online, analysts fear that the document still lives on in various cache and online history services."

10 of 158 comments (clear)

Min score:

Reason:

Sort:

Aggressive Social Sites by Anonymous Coward · 2009-03-18 14:14 · Score: 5, Interesting

A few months ago, my wife received an "invite" from one of her friends regarding one of these "mom" social websites (I really wish that I could recall - but I can't) - picture sharing and all that doo-dah.
Long story short, my constant geek bantering about "security" had finally gotten through to my wife - and she was using a different password for each website. What happened was astonishing: buried in the 58 page EULA, there was text about authorizing the site in question to logon to her supplied email account (e.g. - gmail.com) using the same supplied password. When my wife used a password that was not the same as her email account, the site simply asked her for it.
In other words, the people who use the same password for everything would simply check the "I AGREE" box, which would authorize the new site to harvest their email contacts for the sake of spamming them. Since the generated emails would be coming from a known contact, it would become a plausible suggestion for each recipient (i.e. - better than unsolicited spam).
I can imagine that sites like this would have no problem selling and/or posting this information publicly.
1. Re:Aggressive Social Sites by Anonymous Coward · 2009-03-18 14:41 · Score: 5, Interesting
  
  Yes. My mother, and all of her sisters have facebook, and use it as much as any 15 year old girls. It is scary.
2. Re:Aggressive Social Sites by Brickwall · 2009-03-18 15:54 · Score: 2, Interesting
  
  I understand the need to have different logon/passwords, but geez - some sites are going nuts. My bank and my credit card company wanted to put me through TWO logons each, using different ID's and passwords. And of course, if you forget, neither of them will email you your password; you have to phone tech support, sit on hold for 10-20 minutes, and wait for tech support to reset the password, which takes another 20-30 minutes to take effect. So, just to check my card balance, what should have been a 30-second endeavour turns into an hour-long PITA.
  And I'm not so naive as to write them on a post-it stuck to the bottom of my keyboard, or write them backwards on the back of my credit card. And I did try your suggestion of storing them in a file, but since the ones I forget are sites that I visit infrequently, I forgot the name of the freakin' file! (And again, I'm not so stupid as to name the file "passwords" or "pw", or similar.)
  Finally, the solution that worked for me was using one ID/password combo for sites that don't represent any security issues (e.g. Slashdot), another combo for sites that I don't particularly want people to snoop on (e-mail), and another one with an exceptionally hard password for sites that I really want to keep private, like banking and credit cards. But I wish there was an easier way.
  
  --
  What was once true, is no longer so
How do I establish whether I am still a victim? by bogaboga · 2009-03-18 14:45 · Score: 2, Interesting

While the list is no longer available online, analysts fear that the document still lives on in various cache and online history services."
I would like to know whether my details are on that list. Question is: How do I get a hold of that list? How do I access data from the so called caches?
Password lists by JWSmythe · 2009-03-18 14:50 · Score: 4, Interesting

I remember in the good ol' days of dialup, folks (now known as script kiddies) would pound on the dialups with common username:password combinations until they found one. Those lists would float around. I've seen lists of thousands of valid usernames. The folks who got them would use the now "free" dialup until the customer finally canceled. Of course, those usernames were the same as the email address (like foo@aol.com), so in theory you had their email address too. If you hopped in the right IRC channel and chatted for a few minutes, you could get your hands on a different list pretty quickly.
I saw other comments saying that this was just Comcast insecurity, but it brought back memories. :)

--
Serious? Seriousness is well above my pay grade.
1. Re:Password lists by 0100010001010011 · 2009-03-18 15:40 · Score: 2, Interesting
  
  Easier than that, over my 16.8k connection I would ping scan port 80. 99.9% of the port 80s that were open were routers that served internal networks. The geniuses at the router company decided that shadowing the password on the config page was enough.
  Little did they know I was a Haxxor that knew how to "View Page Source".
  So many accounts from that...
Re:Comcast has Passwords? by AvitarX · 2009-03-18 15:23 · Score: 3, Interesting

I hide my computers for it (I have just moved after all).
The modem needs to be activated, and the CD can do it, but they can do it remotely too. So I just tell them I want internet for my Xbox, but don't have a computer set up yet. They oblige.
I'm pretty sure they would have done it if I just said I didn't want to install the software on the phone, but I didn't want to risk it.
I called a more local office directly though, and they are always polite and helpful (found a local non 800 number).

--
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Heavily encrypted? by ub3r+n3u7r4l1st · 2009-03-18 15:34 · Score: 3, Interesting

If, according to comcast, the password are heavily encrypted, how the hell someone can find it in clear text?
That means someone or something in somewhere store these information in clear text to begin with.

--
New Economic Perspectives
Re:While the list is no longer available online by Anonymous Coward · 2009-03-18 16:16 · Score: 2, Interesting

How bad would it be to write a script to email all these people and maybe disclose the first 3 or 4 letters of their password, and if they see it's the same, then maybe they can take action...
Would that be impolite or considered spam?
I'll Give Even Comcast the Benefit of Doubt by carlzum · 2009-03-18 16:50 · Score: 4, Interesting

I have to believe Comcast is telling the truth and some kind of malware is to blame. Over my many years in corporate IT departments, I've seen customer information handled poorly in many way. But an application storing passwords in clear text? I can honestly say I've never seen that happen. Maybe in some homegrown internal application, but not a customer-facing web site in the post-SOX era. A company as big as Comcast is certainly using third-party authentication software. They would have to go out of their way to capture passwords.

If this document is traced back to Comcast they're guilty of more than simple incompetence, they engaged in deliberate unethical behavior.