Slashdot Mirror

← Back to Stories (view on slashdot.org)

Social Search Reveals 700 Comcast Customer Logins

Posted by samzenpus on from the easiest-password-to-remember dept.

nandemoari writes "When educational technology specialist Kevin Andreyo recently read a report on people search engines, he decided to conduct a little 'people search' on himself. Andreyo did not expect to find much — so, imagine the surprise when he uncovered the user name and password to his Comcast Internet account, put out there for the entire online world to see. In addition to his personal information, Andreyo also discovered a list that exposed the user names and passwords of (what he believed) to be 8,000 other Comcast customers. Andreyo immediately contacted both Comcast and the FBI, hoping to find the ones responsible for divulging such personal information to the public. While the list is no longer available online, analysts fear that the document still lives on in various cache and online history services."

31 of 158 comments (clear)

  1. Comcast has Passwords? by westyvw · · Score: 3, Funny

    Who knew? Are these the same people who actually let Comcast install software on thier computers?

    --Nothing to do with the leak of passwords, just saying.....

    1. Re:Comcast has Passwords? by afidel · · Score: 2, Insightful

      All the ISP's do that and as I have told my friends and family repeatedly over the years, DON'T under any circumstances let the installer near your PC with that thing, it's not needed and can only lead to problems.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    2. Re:Comcast has Passwords? by JWSmythe · · Score: 4, Funny

          I've moved around a lot, and each time they've tried. They've also been insistent that I have a Windows machine for them to install with. I used to keep a spare Windows box handy just for the installs. Usually I could talk them out of touching the machine. Two insisted, and finally made me sign a waiver that I refused, but the connection worked so I didn't care. One blatantly refused to do the install without putting the CD in. I was happy that it was a spare machine I didn't care about. It came offline, and I put my Linux machine up just after they walked out the door. It had a nice clean install of Win98 on it, so they got absolutely no personal information. I wiped it later on, just in case I needed it again for something.

         

      --
      Serious? Seriousness is well above my pay grade.
    3. Re:Comcast has Passwords? by AvitarX · · Score: 3, Interesting

      I hide my computers for it (I have just moved after all).

      The modem needs to be activated, and the CD can do it, but they can do it remotely too. So I just tell them I want internet for my Xbox, but don't have a computer set up yet. They oblige.

      I'm pretty sure they would have done it if I just said I didn't want to install the software on the phone, but I didn't want to risk it.

      I called a more local office directly though, and they are always polite and helpful (found a local non 800 number).

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    4. Re:Comcast has Passwords? by furby076 · · Score: 2, Informative

      It's actually quite simple. When the comcast person arrives at your house and installs the hardware they will want to install the software. Tell them no and to have them call their dispatch. They don't like to do it because now they have to wait on hold, get the person to manually activate the modem (why the software is not built into the modem is beyond me), and wait for it to start. Basically it means the comcast guy will be at your place for an additional 30 minutes. They will, however, not install it on your request. I have never had to persuade, argue, bribe, or threaten the person - I just said "no thanks I prefer not to have any extra software on my computer".

      Let's not make it sound like mission impossible.

      --

      I do not support "The Man". I also do not support your irrational stupidity
    5. Re:Comcast has Passwords? by Lord+Ender · · Score: 2, Funny

      While Time Warner, the local cable company, has never tried to force me to install their crapware; if they tried, I would have no trouble handing them my netbook (which lacks an optical drive).

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  2. How far is it spread? by Anthony_Cargile · · Score: 4, Insightful

    I wonder if that includes both home and business accounts. I'm sure you can Wayback the archive provided you have an original link or precise search terms, but this apparently affects quite a few people although the summary doesn't mention what exactly the revealed username/passwords are to.

    If I had to take a guess, I'd say email or online customer accounts (although I don't recall having one during my painful time with Comcast), which either opens up either a financial or spam-exploitable security issue, not sure which.

    ...In a nutshell: This is pretty bad, but how deep does it go and can Comcast be held responsible in any way?

  3. Re:While the list is no longer available online by Anthony_Cargile · · Score: 2, Informative

    True, in fact, there is already a comment that gives a download mirror, see here. [slashdot.org]"

    Nobody waste your time/bandwidth even following that link, as it's to the troll post above which links to nothing but a video and imagery probably nobody wants to see (recall goatse.cx links).

  4. Aggressive Social Sites by Anonymous Coward · · Score: 5, Interesting

    A few months ago, my wife received an "invite" from one of her friends regarding one of these "mom" social websites (I really wish that I could recall - but I can't) - picture sharing and all that doo-dah.

    Long story short, my constant geek bantering about "security" had finally gotten through to my wife - and she was using a different password for each website. What happened was astonishing: buried in the 58 page EULA, there was text about authorizing the site in question to logon to her supplied email account (e.g. - gmail.com) using the same supplied password. When my wife used a password that was not the same as her email account, the site simply asked her for it.

    In other words, the people who use the same password for everything would simply check the "I AGREE" box, which would authorize the new site to harvest their email contacts for the sake of spamming them. Since the generated emails would be coming from a known contact, it would become a plausible suggestion for each recipient (i.e. - better than unsolicited spam).

    I can imagine that sites like this would have no problem selling and/or posting this information publicly.

    1. Re:Aggressive Social Sites by Milkyfresh · · Score: 3, Insightful

      I'm more interested in the site that did this and the legality of them doing it. There is zero reason why a site needs your password to your e-mail account.

    2. Re:Aggressive Social Sites by Anonymous Coward · · Score: 5, Interesting

      Yes. My mother, and all of her sisters have facebook, and use it as much as any 15 year old girls. It is scary.

    3. Re:Aggressive Social Sites by z0idberg · · Score: 4, Informative

      You're not understanding the issue. Yes facebook etc. ask for your email password to get your contact list, but the issue the OP is talking about (though who knows if its true given its an AC who cant recall the original site) is that the site tries to use your supplied email address and the password you use *for that particular site* to try and login to your email account and get your contact list. So you aren't prompted for your gmail/yahoo/hotmail password. They just try to login to your email using your supplied email address and the password for that site. Sneaky given most(?) people use the same password across a wide range of places.

    4. Re:Aggressive Social Sites by Brickwall · · Score: 2, Interesting
      I understand the need to have different logon/passwords, but geez - some sites are going nuts. My bank and my credit card company wanted to put me through TWO logons each, using different ID's and passwords. And of course, if you forget, neither of them will email you your password; you have to phone tech support, sit on hold for 10-20 minutes, and wait for tech support to reset the password, which takes another 20-30 minutes to take effect. So, just to check my card balance, what should have been a 30-second endeavour turns into an hour-long PITA.

      And I'm not so naive as to write them on a post-it stuck to the bottom of my keyboard, or write them backwards on the back of my credit card. And I did try your suggestion of storing them in a file, but since the ones I forget are sites that I visit infrequently, I forgot the name of the freakin' file! (And again, I'm not so stupid as to name the file "passwords" or "pw", or similar.)

      Finally, the solution that worked for me was using one ID/password combo for sites that don't represent any security issues (e.g. Slashdot), another combo for sites that I don't particularly want people to snoop on (e-mail), and another one with an exceptionally hard password for sites that I really want to keep private, like banking and credit cards. But I wish there was an easier way.

      --
      What was once true, is no longer so
    5. Re:Aggressive Social Sites by Antique+Geekmeister · · Score: 3, Insightful

      And you believe them about safely handling your password and never storing or selling it for other uses, why?

    6. Re:Aggressive Social Sites by fractoid · · Score: 2, Informative

      Actually, what the GPP is referring to is that when you create a Facebook account, it allows you to enter your email password for a few of the major webmail providers (GMail, Hotmail, can't remember the others), trawls through your contact list and/or inbox, and gives you a list of people you've contacted via email who also have facebook accounts. It's a convenient (albeit scary from the security PoV) way to populate your friend list for a new account.

      --
      Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
  5. Not the first time by Anonymous Coward · · Score: 5, Informative

    I worked for comcast about 8 years ago and at the time they had a Remedy test account they used for various stuff. One day I decided to login to the ftp using the remedy account and sitting there was a year old file with every subscriber's login and password. And since the ftp site was the account's web site home folder, these were just sitting there available to everyone.

  6. How do I establish whether I am still a victim? by bogaboga · · Score: 2, Interesting

    While the list is no longer available online, analysts fear that the document still lives on in various cache and online history services."

    I would like to know whether my details are on that list. Question is: How do I get a hold of that list? How do I access data from the so called caches?

    1. Re:How do I establish whether I am still a victim? by Fred_A · · Score: 2, Insightful

      They recommend setting the maximum password age to 42 days too. And the default is to remember the last 24 passwords and stop people reusing them.

      And that's when PostIts start to appear because people are fed up with remembering a new variant of "89fZ#9I$" every month.
      So you've substituted one security problem for another.

      Password expiration isn't all that it's cracked up to be.

      --

      May contain traces of nut.
      Made from the freshest electrons.
  7. Password lists by JWSmythe · · Score: 4, Interesting

        I remember in the good ol' days of dialup, folks (now known as script kiddies) would pound on the dialups with common username:password combinations until they found one. Those lists would float around. I've seen lists of thousands of valid usernames. The folks who got them would use the now "free" dialup until the customer finally canceled. Of course, those usernames were the same as the email address (like foo@aol.com), so in theory you had their email address too. If you hopped in the right IRC channel and chatted for a few minutes, you could get your hands on a different list pretty quickly.

        I saw other comments saying that this was just Comcast insecurity, but it brought back memories. :)

    --
    Serious? Seriousness is well above my pay grade.
    1. Re:Password lists by 0100010001010011 · · Score: 2, Interesting

      Easier than that, over my 16.8k connection I would ping scan port 80. 99.9% of the port 80s that were open were routers that served internal networks. The geniuses at the router company decided that shadowing the password on the config page was enough.

      Little did they know I was a Haxxor that knew how to "View Page Source".

      So many accounts from that...

  8. Best Way To Stay Anonymous? by tthomas48 · · Score: 2, Insightful

    Have a really, really common name.

  9. I haxxored Comcast... by feepness · · Score: 5, Funny

    So I'm trying to log on to Comcast to look at my bill. It's one of those places you log on every three years or so, so I can't remember anything about the account. I gave them my name and they give me a secret question asking "What is your favorite drink?" Well who the hell has a special favorite drink? So I plug in a few answers and finally try "milk". Bingo, I'm in. Change the password to my standard website name hash, poke around, get confused, and realize... wait a second... this isn't my account. My name is fairly rare, but I guess not rare enough. I don't really have any way of resetting it to what it was before, and for some reason there was no email verification involved. So I whistled quietly as I closed the window and called customer service instead.

    1. Re:I haxxored Comcast... by TheRaven64 · · Score: 2, Insightful

      Security questions are not too bad. The worst things are things like one of my banks which insists on asking me my date of birth and mother's maiden name when I log in. Both of these are public-domain information and can be accessed in a searchable form for a very small fee (or free if you bother collecting them all yourself from the various registries), but they seem to be under the impression that it adds some security.

      --
      I am TheRaven on Soylent News
    2. Re:I haxxored Comcast... by Ironica · · Score: 2, Funny

      Not completely secure if the attacker knows your hash function but I longer low hangng fruit

      Or you could just use the last five words as your secret passphrase, and no one would ever get it because it's apparently a totally random combination of words and letters.

      --
      Don't you wish your girlfriend was a geek like me?
  10. Slashdotted... by rockNme2349 · · Score: 2, Funny

    I can't seem to find the link to the page with the passwords, seems their servers weren't up to slashdot.
    Can someone post google cache link please?

    --
    Sewage Treatment Facilities - "Our duty is clear."
    1. Re:Slashdotted... by Hal_Porter · · Score: 2, Funny

      I shall notify the people who have critically weak passwords by email.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  11. Heavily encrypted? by ub3r+n3u7r4l1st · · Score: 3, Interesting

    If, according to comcast, the password are heavily encrypted, how the hell someone can find it in clear text?

    That means someone or something in somewhere store these information in clear text to begin with.

    --
    New Economic Perspectives
  12. Re:While the list is no longer available online by poopdeville · · Score: 5, Informative

    It is.

    http://66.218.69.11/search/cache?ei=UTF-8&p=%22ComCast+Mail%22++Kevin+Andreyo&fr=yfp-t-501&u=www.scribd.com/doc/9723141/ComCast-Mail&w=%22comcast+mail%22+kevin+andreyo&d=ZjZ_Sp2uSYep&icp=1&.intl=us

    Took about a minute to find.

    --
    After all, I am strangely colored.
  13. Re:While the list is no longer available online by Anonymous Coward · · Score: 2, Interesting

    How bad would it be to write a script to email all these people and maybe disclose the first 3 or 4 letters of their password, and if they see it's the same, then maybe they can take action...

    Would that be impolite or considered spam?

  14. I'll Give Even Comcast the Benefit of Doubt by carlzum · · Score: 4, Interesting

    I have to believe Comcast is telling the truth and some kind of malware is to blame. Over my many years in corporate IT departments, I've seen customer information handled poorly in many way. But an application storing passwords in clear text? I can honestly say I've never seen that happen. Maybe in some homegrown internal application, but not a customer-facing web site in the post-SOX era. A company as big as Comcast is certainly using third-party authentication software. They would have to go out of their way to capture passwords.

    If this document is traced back to Comcast they're guilty of more than simple incompetence, they engaged in deliberate unethical behavior.

    1. Re:I'll Give Even Comcast the Benefit of Doubt by Lord+Ender · · Score: 2, Insightful

      I work at a software company. In security.

      The software engineering team is absolutely certain they don't want corporate IT security anywhere near their precious development process. We would just slow things down. So they all put "security expert" on their resumes and said they don't need us, they know what they're doing, etc..

      Yeah, every app they use has totally botch authentication--plaintext password storage, unsalted hashes--you name the security mistake, these "expert" developers ship it in our top-dollar "enterprise" software.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.