Social Search Reveals 700 Comcast Customer Logins

nandemoari writes "When educational technology specialist Kevin Andreyo recently read a report on people search engines, he decided to conduct a little 'people search' on himself. Andreyo did not expect to find much — so, imagine the surprise when he uncovered the user name and password to his Comcast Internet account, put out there for the entire online world to see. In addition to his personal information, Andreyo also discovered a list that exposed the user names and passwords of (what he believed) to be 8,000 other Comcast customers. Andreyo immediately contacted both Comcast and the FBI, hoping to find the ones responsible for divulging such personal information to the public. While the list is no longer available online, analysts fear that the document still lives on in various cache and online history services."

Aggressive Social Sites

A few months ago, my wife received an "invite" from one of her friends regarding one of these "mom" social websites (I really wish that I could recall - but I can't) - picture sharing and all that doo-dah.

Long story short, my constant geek bantering about "security" had finally gotten through to my wife - and she was using a different password for each website. What happened was astonishing: buried in the 58 page EULA, there was text about authorizing the site in question to logon to her supplied email account (e.g. - gmail.com) using the same supplied password. When my wife used a password that was not the same as her email account, the site simply asked her for it.

In other words, the people who use the same password for everything would simply check the "I AGREE" box, which would authorize the new site to harvest their email contacts for the sake of spamming them. Since the generated emails would be coming from a known contact, it would become a plausible suggestion for each recipient (i.e. - better than unsolicited spam).

I can imagine that sites like this would have no problem selling and/or posting this information publicly.

Re:Aggressive Social Sites

Yes. My mother, and all of her sisters have facebook, and use it as much as any 15 year old girls. It is scary.

Password lists

[JWSmythe]

    I remember in the good ol' days of dialup, folks (now known as script kiddies) would pound on the dialups with common username:password combinations until they found one. Those lists would float around. I've seen lists of thousands of valid usernames. The folks who got them would use the now "free" dialup until the customer finally canceled. Of course, those usernames were the same as the email address (like foo@aol.com), so in theory you had their email address too. If you hopped in the right IRC channel and chatted for a few minutes, you could get your hands on a different list pretty quickly.

    I saw other comments saying that this was just Comcast insecurity, but it brought back memories. :)

I'll Give Even Comcast the Benefit of Doubt

[carlzum]

I have to believe Comcast is telling the truth and some kind of malware is to blame. Over my many years in corporate IT departments, I've seen customer information handled poorly in many way. But an application storing passwords in clear text? I can honestly say I've never seen that happen. Maybe in some homegrown internal application, but not a customer-facing web site in the post-SOX era. A company as big as Comcast is certainly using third-party authentication software. They would have to go out of their way to capture passwords.

If this document is traced back to Comcast they're guilty of more than simple incompetence, they engaged in deliberate unethical behavior.