Slashdot Mirror

← Back to Stories (view on slashdot.org)

Social Search Reveals 700 Comcast Customer Logins

Posted by samzenpus on from the easiest-password-to-remember dept.

nandemoari writes "When educational technology specialist Kevin Andreyo recently read a report on people search engines, he decided to conduct a little 'people search' on himself. Andreyo did not expect to find much — so, imagine the surprise when he uncovered the user name and password to his Comcast Internet account, put out there for the entire online world to see. In addition to his personal information, Andreyo also discovered a list that exposed the user names and passwords of (what he believed) to be 8,000 other Comcast customers. Andreyo immediately contacted both Comcast and the FBI, hoping to find the ones responsible for divulging such personal information to the public. While the list is no longer available online, analysts fear that the document still lives on in various cache and online history services."

10 of 158 comments (clear)

  1. How far is it spread? by Anthony_Cargile · · Score: 4, Insightful

    I wonder if that includes both home and business accounts. I'm sure you can Wayback the archive provided you have an original link or precise search terms, but this apparently affects quite a few people although the summary doesn't mention what exactly the revealed username/passwords are to.

    If I had to take a guess, I'd say email or online customer accounts (although I don't recall having one during my painful time with Comcast), which either opens up either a financial or spam-exploitable security issue, not sure which.

    ...In a nutshell: This is pretty bad, but how deep does it go and can Comcast be held responsible in any way?

  2. Aggressive Social Sites by Anonymous Coward · · Score: 5, Interesting

    A few months ago, my wife received an "invite" from one of her friends regarding one of these "mom" social websites (I really wish that I could recall - but I can't) - picture sharing and all that doo-dah.

    Long story short, my constant geek bantering about "security" had finally gotten through to my wife - and she was using a different password for each website. What happened was astonishing: buried in the 58 page EULA, there was text about authorizing the site in question to logon to her supplied email account (e.g. - gmail.com) using the same supplied password. When my wife used a password that was not the same as her email account, the site simply asked her for it.

    In other words, the people who use the same password for everything would simply check the "I AGREE" box, which would authorize the new site to harvest their email contacts for the sake of spamming them. Since the generated emails would be coming from a known contact, it would become a plausible suggestion for each recipient (i.e. - better than unsolicited spam).

    I can imagine that sites like this would have no problem selling and/or posting this information publicly.

    1. Re:Aggressive Social Sites by Anonymous Coward · · Score: 5, Interesting

      Yes. My mother, and all of her sisters have facebook, and use it as much as any 15 year old girls. It is scary.

    2. Re:Aggressive Social Sites by z0idberg · · Score: 4, Informative

      You're not understanding the issue. Yes facebook etc. ask for your email password to get your contact list, but the issue the OP is talking about (though who knows if its true given its an AC who cant recall the original site) is that the site tries to use your supplied email address and the password you use *for that particular site* to try and login to your email account and get your contact list. So you aren't prompted for your gmail/yahoo/hotmail password. They just try to login to your email using your supplied email address and the password for that site. Sneaky given most(?) people use the same password across a wide range of places.

  3. Not the first time by Anonymous Coward · · Score: 5, Informative

    I worked for comcast about 8 years ago and at the time they had a Remedy test account they used for various stuff. One day I decided to login to the ftp using the remedy account and sitting there was a year old file with every subscriber's login and password. And since the ftp site was the account's web site home folder, these were just sitting there available to everyone.

  4. Re:Comcast has Passwords? by JWSmythe · · Score: 4, Funny

        I've moved around a lot, and each time they've tried. They've also been insistent that I have a Windows machine for them to install with. I used to keep a spare Windows box handy just for the installs. Usually I could talk them out of touching the machine. Two insisted, and finally made me sign a waiver that I refused, but the connection worked so I didn't care. One blatantly refused to do the install without putting the CD in. I was happy that it was a spare machine I didn't care about. It came offline, and I put my Linux machine up just after they walked out the door. It had a nice clean install of Win98 on it, so they got absolutely no personal information. I wiped it later on, just in case I needed it again for something.

       

    --
    Serious? Seriousness is well above my pay grade.
  5. Password lists by JWSmythe · · Score: 4, Interesting

        I remember in the good ol' days of dialup, folks (now known as script kiddies) would pound on the dialups with common username:password combinations until they found one. Those lists would float around. I've seen lists of thousands of valid usernames. The folks who got them would use the now "free" dialup until the customer finally canceled. Of course, those usernames were the same as the email address (like foo@aol.com), so in theory you had their email address too. If you hopped in the right IRC channel and chatted for a few minutes, you could get your hands on a different list pretty quickly.

        I saw other comments saying that this was just Comcast insecurity, but it brought back memories. :)

    --
    Serious? Seriousness is well above my pay grade.
  6. I haxxored Comcast... by feepness · · Score: 5, Funny

    So I'm trying to log on to Comcast to look at my bill. It's one of those places you log on every three years or so, so I can't remember anything about the account. I gave them my name and they give me a secret question asking "What is your favorite drink?" Well who the hell has a special favorite drink? So I plug in a few answers and finally try "milk". Bingo, I'm in. Change the password to my standard website name hash, poke around, get confused, and realize... wait a second... this isn't my account. My name is fairly rare, but I guess not rare enough. I don't really have any way of resetting it to what it was before, and for some reason there was no email verification involved. So I whistled quietly as I closed the window and called customer service instead.

  7. Re:While the list is no longer available online by poopdeville · · Score: 5, Informative

    It is.

    http://66.218.69.11/search/cache?ei=UTF-8&p=%22ComCast+Mail%22++Kevin+Andreyo&fr=yfp-t-501&u=www.scribd.com/doc/9723141/ComCast-Mail&w=%22comcast+mail%22+kevin+andreyo&d=ZjZ_Sp2uSYep&icp=1&.intl=us

    Took about a minute to find.

    --
    After all, I am strangely colored.
  8. I'll Give Even Comcast the Benefit of Doubt by carlzum · · Score: 4, Interesting

    I have to believe Comcast is telling the truth and some kind of malware is to blame. Over my many years in corporate IT departments, I've seen customer information handled poorly in many way. But an application storing passwords in clear text? I can honestly say I've never seen that happen. Maybe in some homegrown internal application, but not a customer-facing web site in the post-SOX era. A company as big as Comcast is certainly using third-party authentication software. They would have to go out of their way to capture passwords.

    If this document is traced back to Comcast they're guilty of more than simple incompetence, they engaged in deliberate unethical behavior.