Slashdot Mirror
Social Search Reveals 700 Comcast Customer Logins
nandemoari writes "When educational technology specialist Kevin Andreyo recently read a report on people search engines, he decided to conduct a little 'people search' on himself.
Andreyo did not expect to find much — so, imagine the surprise when he uncovered the user name and password to his Comcast Internet account, put out there for the entire online world to see.
In addition to his personal information, Andreyo also discovered a list that exposed the user names and passwords of (what he believed) to be 8,000 other Comcast customers. Andreyo immediately contacted both Comcast and the FBI, hoping to find the ones responsible for divulging such personal information to the public.
While the list is no longer available online, analysts fear that the document still lives on in various cache and online history services."
Who knew? Are these the same people who actually let Comcast install software on thier computers?
--Nothing to do with the leak of passwords, just saying.....
I wonder if that includes both home and business accounts. I'm sure you can Wayback the archive provided you have an original link or precise search terms, but this apparently affects quite a few people although the summary doesn't mention what exactly the revealed username/passwords are to.
...In a nutshell: This is pretty bad, but how deep does it go and can Comcast be held responsible in any way?
If I had to take a guess, I'd say email or online customer accounts (although I don't recall having one during my painful time with Comcast), which either opens up either a financial or spam-exploitable security issue, not sure which.
True, in fact, there is already a comment that gives a download mirror, see here. [slashdot.org]"
Nobody waste your time/bandwidth even following that link, as it's to the troll post above which links to nothing but a video and imagery probably nobody wants to see (recall goatse.cx links).
A few months ago, my wife received an "invite" from one of her friends regarding one of these "mom" social websites (I really wish that I could recall - but I can't) - picture sharing and all that doo-dah.
Long story short, my constant geek bantering about "security" had finally gotten through to my wife - and she was using a different password for each website. What happened was astonishing: buried in the 58 page EULA, there was text about authorizing the site in question to logon to her supplied email account (e.g. - gmail.com) using the same supplied password. When my wife used a password that was not the same as her email account, the site simply asked her for it.
In other words, the people who use the same password for everything would simply check the "I AGREE" box, which would authorize the new site to harvest their email contacts for the sake of spamming them. Since the generated emails would be coming from a known contact, it would become a plausible suggestion for each recipient (i.e. - better than unsolicited spam).
I can imagine that sites like this would have no problem selling and/or posting this information publicly.
I worked for comcast about 8 years ago and at the time they had a Remedy test account they used for various stuff. One day I decided to login to the ftp using the remedy account and sitting there was a year old file with every subscriber's login and password. And since the ftp site was the account's web site home folder, these were just sitting there available to everyone.
Customers and the people like them are the people your data is sold over. ;)
As a consumer, you are one of many.
Even if someone does care, its a quick fix and back to a race to the bottom.
Security is for paying equals, the people you cannot not afford to upset.
Paying a consumer data 'fine' every so often and a slick PR release is cheaper than real expensive on going prevention.
If congress or any other gov entity cares, any company can swear they have the best security in place..
Just not everywhere, all the time
A line of top university security experts and other independent experts would tell of how the company is secure..
but your not company, just a consumer.
Domestic spying is now "Benign Information Gathering"
While the list is no longer available online, analysts fear that the document still lives on in various cache and online history services."
I would like to know whether my details are on that list. Question is: How do I get a hold of that list? How do I access data from the so called caches?
I remember in the good ol' days of dialup, folks (now known as script kiddies) would pound on the dialups with common username:password combinations until they found one. Those lists would float around. I've seen lists of thousands of valid usernames. The folks who got them would use the now "free" dialup until the customer finally canceled. Of course, those usernames were the same as the email address (like foo@aol.com), so in theory you had their email address too. If you hopped in the right IRC channel and chatted for a few minutes, you could get your hands on a different list pretty quickly.
I saw other comments saying that this was just Comcast insecurity, but it brought back memories. :)
Serious? Seriousness is well above my pay grade.
Have a really, really common name.
So I'm trying to log on to Comcast to look at my bill. It's one of those places you log on every three years or so, so I can't remember anything about the account. I gave them my name and they give me a secret question asking "What is your favorite drink?" Well who the hell has a special favorite drink? So I plug in a few answers and finally try "milk". Bingo, I'm in. Change the password to my standard website name hash, poke around, get confused, and realize... wait a second... this isn't my account. My name is fairly rare, but I guess not rare enough. I don't really have any way of resetting it to what it was before, and for some reason there was no email verification involved. So I whistled quietly as I closed the window and called customer service instead.
well... yoda does look a bit trollish
I can't seem to find the link to the page with the passwords, seems their servers weren't up to slashdot.
Can someone post google cache link please?
Sewage Treatment Facilities - "Our duty is clear."
If, according to comcast, the password are heavily encrypted, how the hell someone can find it in clear text?
That means someone or something in somewhere store these information in clear text to begin with.
New Economic Perspectives
I mean the following statement with little to no sarcasm at all. How many of you will believe that is a different story.
I have Slashdot to thank once again for saving me at the last minute from switching from Verizon to Comcast.
It is.
http://66.218.69.11/search/cache?ei=UTF-8&p=%22ComCast+Mail%22++Kevin+Andreyo&fr=yfp-t-501&u=www.scribd.com/doc/9723141/ComCast-Mail&w=%22comcast+mail%22+kevin+andreyo&d=ZjZ_Sp2uSYep&icp=1&.intl=us
Took about a minute to find.
After all, I am strangely colored.
I bet will be around a lot of messages reporting pretty much what the article say, telling the user that his password was disclosed, and asking to change their password at www.comcast.com.etc.hacksite.com/resetpassword.php.
There is always space to make a bad situation far worse
How bad would it be to write a script to email all these people and maybe disclose the first 3 or 4 letters of their password, and if they see it's the same, then maybe they can take action...
Would that be impolite or considered spam?
I think a lot of people would see it as "impolite" or worse. I would want disclosure, but the technologically illiterate would see it as a violation. Still, they are better off knowing.
I won't be writing that script. :0)
I have to believe Comcast is telling the truth and some kind of malware is to blame. Over my many years in corporate IT departments, I've seen customer information handled poorly in many way. But an application storing passwords in clear text? I can honestly say I've never seen that happen. Maybe in some homegrown internal application, but not a customer-facing web site in the post-SOX era. A company as big as Comcast is certainly using third-party authentication software. They would have to go out of their way to capture passwords.
If this document is traced back to Comcast they're guilty of more than simple incompetence, they engaged in deliberate unethical behavior.
and figured hey I'm on slashdot the smart people here will get what I'm saying.
You must be new here...
It's not about smartness. It's about those people here that have nothing better to do than to hang around here all day long, have tons of prejudice and projection, stemming from the self-hatred of not being out there and getting girls, or something like that. It's a very primitive thing. They are very smart on an intellectual level, but emotional and social pre-school children.
It's what comes as a price with concentrating so much on technology. But hey, would you want to get tons of girls, and not know what to input in a shell? See...
Any sufficiently advanced intelligence is indistinguishable from stupidity.
don't use yer mom's real maiden name, just make something up...of course, u'll have 2 remember what u made up;-)
Yea...welll... YOU SUCK! I'm going to play with my hawt 3.0 hax'd iphone.
I do not support "The Man". I also do not support your irrational stupidity
Obviously, it's still out there (look down below in this thread). I remember I changed my comcast password last summer, when they previously announced a similar problem. Now, just to be safe, I'm changing it about every three months, just as I do my work account. You can't be too careful with this kind of stuff, particularly when the gatekeepers of your private information cannot be trusted to safeguard it as securely as I do on my own network.
I like your mention of security. I installed my grandmother's telus modem (she has had telus for a long time and can't change due to her email being used for a business). The modem is actually a 2-wire wireless modem, with a DEFAULT wireless password (password=telus)... Compare this to shaw, who actually stopped by one day (they had had problems in the area and were personally asking people if they had had problems). I talked for a minute with him and happened to mention that I had a network, he promptly asked me if I had secured the connection properly.
My brother recently tried to get the really cheap low bandwidth DSL from Verizon in IL. The only thing you could do through the DSL modem initially was install the Verizon software that took you through setup.
My brother doesn't currently have a computer. He wanted the DSL so he could VPN to work with his work computer. The work computer is locked down and will only do VPN to the company over non company networks.
Using a borrowed computer, he went through the process. All the software did was ask some quesitons to verify who he was etc. (probalby for billing purposes) and allow him to build a Verizon email account etc. All things that could have been done via a web service and a browser, if set up that way.
This worked for about a week, and then magically reverted, requiring it to be done again. So, he called Verizon explaining that he didn't have a computer, and they basically said he wasn't going to be able to use the service.
So, did he just get bad information from a bad rep, or is Verizon one company basically forcing you to put software on your computer (at least initially) to set up the account?
i've forgotten;-)
One of my charge card accounts actually asked me that. If I answered correctly, all my childhood friends and enemies are in.
If you must moderate, please moderate as irrelevent, not something bad, because I'm sure someone will find this interest