Comcast Resets Nearly 200,000 Passwords After Customer List Goes On Sale (csoonline.com)

← Back to Stories (view on slashdot.org)

Comcast Resets Nearly 200,000 Passwords After Customer List Goes On Sale (csoonline.com)

Posted by samzenpus on Monday November 9, 2015 @08:14AM from the 1-2-3-4-5 dept.

itwbennett writes: Over the weekend a Dark Web marketplace had 590,000 Comcast email addresses and passwords for sale, offering the entire list for $1,000, writes CSO's Steve Ragan. Saturday evening Ragan contacted Comcast about the accounts being sold online and learned that Comcast had 'already obtained a copy of the list' and was checking it against their customer base. 'Of the 590,000 records being sold, only about 200,000 of them were active,' Comcast said. Still unknown is the source of the data being sold online, although signs point to it being recycled.

43 comments

Min score:

Reason:

Sort:

Good time for a phone scam by Joe_Dragon · 2015-11-09 08:17 · Score: 3, Insightful

Good time for a phone scam.
By calling people and saying that you are from Comcast and that we need to reset your password and asking them for the info + there new password.
1. Re:Good time for a phone scam by Anonymous Coward · 2015-11-09 08:19 · Score: 0
  
  What would you call that, two factor scam authentication?
2. Re:Good time for a phone scam by Anonymous Coward · 2015-11-09 08:42 · Score: 1
  
  What would you call that, two factor scam authentication?
  Yes. It's a method of ensuring the victim is actually that stupid, just in case there were any doubts left.
  Remember kids...due diligence is always viewed as a good thing no matter the wrapper.
3. Re:Good time for a phone scam by Tablizer · 2015-11-09 08:45 · Score: 5, Funny
  
  What would you call that, two factor scam authentication?
  Is your network slow?: [Yes]
  Does it flake at night and on weekends?: [Yes]
  Do technicians pretend like they solve the problem but never do?: [Yes]
  Does phone support always want to sell you crap you don't need or want?: [Yes]
  Do weird fees appear on your bill out of no-where?: [Yes]
  [Enter...]
  You have been CONFIRMED to be a Comcast customer. Now please change your password.
  
  --
  Table-ized A.I.
4. Re:Good time for a phone scam by Anonymous Coward · 2015-11-09 08:52 · Score: 0
  
  I would call it old school.
  We used to call random people out to the phone book with
  "Hello Mr Smith, My name is James Zabruter with your bank and while doing a routine check of accounts we noticed something out of place. I am calling to validate that you made a charge of $2,593.26 at Jose's Motorcycle emporium.
  You did not? Well the charge did look out of place. Please let me validate that we have the correct account. Can you please read me the numbers from your Card?... and the Expiration date?... Now the three digits on the back of the card...
  Thank you Mr Smith, that is your account. I am marking the charges as fraudulent, they should be removed from your statement. If it does not process before this statement don't panic. Simple highlight them and make sure they are not on the statement for the following month. "
  You would be amazed how many people would read you there CC info right there on the phone.
5. Re:Good time for a phone scam by rsborg · 2015-11-09 10:13 · Score: 3, Insightful
  
  What would you call that, two factor scam authentication?
  Is your network slow?: [Yes]
  Does it flake at night and on weekends?: [Yes]
  Do technicians pretend like they solve the problem but never do?: [Yes]
  Does phone support always want to sell you crap you don't need or want?: [Yes]
  Do weird fees appear on your bill out of no-where?: [Yes]
  [Enter...]
  You have been CONFIRMED to be a Comcast customer. Now please change your password.
  You're also likely an AT&T or Verizon subscriber. Once the entity gets to a large enough size, it's often incapable of fighting those "creative ways to boost revenue" by screwing it's captive customers.
  
  --
  Make sure everyone's vote counts: Verified Voting
6. Re:Good time for a phone scam by rudy_wayne · 2015-11-09 10:33 · Score: 1
  
  Still unknown is the source of the data being sold online, although signs point to it being recycled.
  So, they got the info out of the Recycle Bin?
7. Re:Good time for a phone scam by Joe_Dragon · 2015-11-09 10:58 · Score: 1
  
  or the dumpster. Some once found a weather star in a dumper at a comcast headend.
8. Re:Good time for a phone scam by Anonymous Coward · 2015-11-09 12:04 · Score: 0
  
  or just work at any eating place where you take the card to the back room.
It isn't just Comcast passwords ... by Alain+Williams · 2015-11-09 08:38 · Score: 3, Insightful

it is also all the other places where people have used the same password and have used the same email address. Comcast must contact all 590,000 people - not just the 'active' ones; people might not be active comcast customers but many will still be real people who must be told that an old supplier has f**ked up and revealed their password.
It is unacceptable for comcast to say: old customer, not important; they should not have reused their password - so not our fault. I agree that password reuse is stupid, but the world is full of stupid people.
1. Re:It isn't just Comcast passwords ... by Anonymous Coward · 2015-11-09 08:46 · Score: 0
  
  I think the Venn diagram of Comcast users and stupid people has a big overlap.
2. Re:It isn't just Comcast passwords ... by ZipK · 2015-11-09 08:55 · Score: 2
  
  Comcast must contact all 590,000 people
  "Can I please place you on hold? Thank you, I am now transferring you to the department that handles this function."
  
  Click. Click.
  (Silence)
  Click.
  
  "Hello, and welcome to Comcast customer service. We are currently experiencing higher than normal volumes, but be assured that your call will be handled as soon as a customer service agent is available. Please hold."
  
  (Music)
  
  "Have you heard about Comcast Xfinity bundles? Comcast Xfinity bundles offer customers the opportunity to right-size their services!"
  
  Click. Click.
  (Dial tone)
3. Re:It isn't just Comcast passwords ... by Anonymous Coward · 2015-11-09 08:55 · Score: 0
  
  Most of Comcast's user list comes from people who used a local ISP that Comcast bought out and people who have no choice because Comcast bought out all the local ISPs.
  Stupidity has nothing to do with it, maybe if there were some competition in the field of ISPs instead of just a couple big players carving up the geography and colluding not to compete.
4. Re:It isn't just Comcast passwords ... by Noah+Haders · 2015-11-09 09:11 · Score: 1
  
  There's also a Bennett diagram of Comcast customers and Internet users...
5. Re:It isn't just Comcast passwords ... by Anonymous Coward · 2015-11-09 09:14 · Score: 0
  
  Only because most people are stupid, and Comcast is the only choice in many areas. My second choice is DSL at about 5% of the speed of cable Internet at a very similar cost.
6. Re:It isn't just Comcast passwords ... by Anonymous Coward · 2015-11-09 09:36 · Score: 0
  
  I agree that password reuse is stupid, but the world is full of stupid people.
  Ignorant is a better choice than stupid because their are a lot of brilliant people smarter than you and I who don't know because they are not interested and it falls way down on the list of things likely to affect them. It should be up to us to fix the issue so they are protected. We all know what that fix is and don't like to talk about it because of the absolute abrogation of privacy it entails but the answer is biometric data. It needs to be up to the computer to figure out who ( and if ) the human is and allow access accordingly.
7. Re:It isn't just Comcast passwords ... by rudy_wayne · 2015-11-09 10:42 · Score: 1
  
  just a couple big players carving up the geography and colluding not to compete.
  Actually, it's government sponsored collusion.
  In a very large percentage of cities, the local government awards an exclusive franchise to one $BIG_CABLE_COMPANY.
  Something in the neighborhood of 20 states have passed laws prohibiting cities from setting up their own broadband networks.
  A couple of cities have even turned down Google's offer of gigabit fiber because Google didn't want to pay the standard kickbacks to local politicians (aka Franchise Fees).
8. Re:It isn't just Comcast passwords ... by radarskiy · 2015-11-09 10:56 · Score: 1
  
  "It is unacceptable for comcast to say: old customer, not important; they should not have reused their password - so not our fault. "
  Which is why probably why Comcast did not say that: "However, playing the better safe than sorry card, Comcast will assume the passwords on the matching accounts are valid and force a reset."
  With all of the veritably bad actions that Comcast is taking, there's no need to make stuff up.
9. Re:It isn't just Comcast passwords ... by Anonymous Coward · 2015-11-09 11:27 · Score: 0
  
  It costs alot of money to lay fiber everywhere. If you aren't guaranteed a monopoly, they won't bother trying to lay enough fiber alongside other companies' fiber to try to get a fraction of the customer base.
10. Re:It isn't just Comcast passwords ... by Obfuscant · 2015-11-09 11:48 · Score: 1
  
  In a very large percentage of cities, the local government awards an exclusive franchise to one $BIG_CABLE_COMPANY.
  No, they award a non-exclusive franchise. I've yet to see an exclusive one, and most cities just copy what other cities have done, changing only the relevant local bits.
  
  A couple of cities have even turned down Google's offer of gigabit fiber because Google didn't want to pay the standard kickbacks to local politicians (aka Franchise Fees).
  You mean they would have gotten a franchise had they been willing to pay the same fees that the other competitors do? The fee that is based on the use of public rights of way?
  Wouldn't that be an unfair advantage and a tax-break to Google? Doesn't that also kinda disprove the claim of an exclusive franchise?
Good For The Hackers by Anonymous Coward · 2015-11-09 08:45 · Score: 2, Funny

Still unknown is the source of the data being sold online, although signs point to it being recycled.
It's good to hear that the hackers care about the environment.
Are they going to bother notifying us?! by the_skywise · 2015-11-09 08:48 · Score: 1

"Customers impacted by the password resets will be dealt with on a case-by-case basis. When asked, a Comcast representative confirmed that their security teams were certain that none of their systems or apps had been compromised."
Uh... EXCUSE ME?! If my account was compromised I want to know NOW - I rarely login to my account as I have my own email and get my bill mailed to me.
sigh... going to check now...
1. Re:Are they going to bother notifying us?! by Anonymous Coward · 2015-11-09 08:55 · Score: 2, Insightful
  
  "Customers impacted by the password resets will be dealt with on a case-by-case basis. When asked, a Comcast representative confirmed that their security teams were certain that none of their systems or apps had been compromised."
  Uh... EXCUSE ME?! If my account was compromised I want to know NOW - I rarely login to my account as I have my own email and get my bill mailed to me.
  sigh... going to check now...
  Ok.. the obvious question.... WHY is there a list of Comcast passwords? They've not heard of basic hashing?
2. Re:Are they going to bother notifying us?! by thedonger · 2015-11-09 08:57 · Score: 1
  
  Or, how about the fact (yes, fact) that most people [citation needed] use the same password for a variety of services? A unique enough email address can lead to one's online identity being discovered, and now the nefarious turd has your password.
  Then again, maybe the person already checked those vectors and is just trying to make a little more money off the list.
  
  --
  Help fight poverty: Punch a poor person.
3. Re:Are they going to bother notifying us?! by Anonymous Coward · 2015-11-09 16:21 · Score: 0
  
  As of yet, there's no evidence that the credentials came from inside Comcast. I've gotten pop-ups before, usually on torrent sites, claiming to be "important notice from [all sorts of ISPs]" saying I went over my bandwidth limit or was caught pirating movies etc. I've never clicked through, but the target site is probably phishing customer accounts.
Plaintext passwords? by romanval · 2015-11-09 09:00 · Score: 5, Insightful

Who the hell stores plaintext passwords anymore? You'd think that should be illegal...
1. Re:Plaintext passwords? by Anonymous Coward · 2015-11-09 11:15 · Score: 1
  
  Who the hell stores plaintext passwords anymore? You'd think that should be illegal...
  Passwords don't need to be store as plaintext to determine them, there are techniques you can use to recover hashed passwords, as long as they're 14 characters or less.
2. Re:Plaintext passwords? by Anonymous Coward · 2015-11-09 11:57 · Score: 0
  
  Show me these techniques.
3. Re:Plaintext passwords? by cfalcon · 2015-11-09 13:20 · Score: 2
  
  He means like rainbow tables and other aggregate attacks. You won't get every password but you will get a lot of them.
4. Re:Plaintext passwords? by Anonymous Coward · 2015-11-09 21:08 · Score: 0
  
  Rainbow tables are a time-space tradeoff that doesn't work (becomes pointless) if there is more salt than there are hashes. If you have 4 billion users (yeah right) and 32-bit salt, no time-space tradeoff is worthwhile and you're dead in the water.
  For the archaic and badly designed "LMhash" used in Windows twenty years ago, 14 characters is the maximum, and _if you use that hash which you never should_ a complete reverse is available that will turn any hash back into a valid password (usually the right one, but whichever one it is, it'll work) because the design is so awful. If you have an even vaguely modern Windows, just don't let anybody persuade you to "enable backwards compatibility" by using LMhash, because it's garbage.
  But for say, classic Unix crypt() which is properly designed despite being now more than 40 years old and considered "weak", you still have no way to attack that faster than just trying ever possible input to see if it matches. A good 12 character password set on a Unix box in 1975 may well still be unbroken today.
  For the slightly younger but hardly novel PHK-MD5 algorithm that replaced crypt() in good Unix-like systems, even though MD5 is known to be "weak" nobody is getting your decent password reversed. It's not going to protect "sesame" and "pass1234" but if you made a decent choice you're probably safe for years.
5. Re:Plaintext passwords? by Anonymous Coward · 2015-11-10 03:29 · Score: 0
  
  Some CHAP implementations require plain-text passwords. Some software packages log passwords when debug logging is enabled before hashing. Sometimes page files are not encrypted but password somehow makes it into a variable ... http://woshub.com/how-to-get-plain-text-passwords-of-windows-users/
  The laziness of not protecting passwords will not change quickly.
Password reuse by Noah+Haders · 2015-11-09 09:14 · Score: 2

There's a larger issue of password reuse. It's likely that many of the 590k people on the list feuse passwords, which means you can just start an auto logging script to get into email, banks, everywhere.
1. Re:Password reuse by rhodium_mir · 2015-11-09 10:19 · Score: 1
  
  This is why reset my passwords every 48 HOURS!
  
  --
  You can't spell "oneiromancy" without "roman".
2. Re:Password reuse by Anonymous Coward · 2015-11-09 12:07 · Score: 0
  
  I reset mine every 47 hours, so I'm safer.
3. Re:Password reuse by cfalcon · 2015-11-09 13:21 · Score: 1
  
  Remember, use nothing but special characters for security.
so much for security experts by Anonymous Coward · 2015-11-09 09:42 · Score: 0

So much for big companies having better security than the little guys.
Salted and hashed is the way to go.
1. Re:so much for security experts by silas_moeckel · 2015-11-09 10:51 · Score: 1
  
  As little user PW's as possible is the way to go. There is 0 reason for local logins, oauth, saml, shibboleth, cas, etc etc etc.
  
  --
  No sir I dont like it.
seems obvious.... by Anonymous Coward · 2015-11-09 10:11 · Score: 0

I am a 21 year old college student that has worked a few tech jobs here and there and it seems completely obvious to me to hash and Salt the passwords. I really don't understand how a large company with multiple educated IT professionals can allow this to happen. How does something so common sense like that slip through the cracks?
1. Re:seems obvious.... by Anonymous Coward · 2015-11-09 10:18 · Score: 0
  
  Probably old admin and developers, hired in the 90's and have no clue about security.
Microsoft data collected from spyware by Anonymous Coward · 2015-11-09 11:09 · Score: 0

If this were a hack or leak of Microsoft with all those spy features in Windows, at least we know th
amazon by Anonymous Coward · 2015-11-09 13:22 · Score: 0

did amazon reset passwords because of this?
Recycled? Doesn't sound like Comcast got hacked by TigerPlish · 2015-11-09 14:32 · Score: 1

Recycled means it came from other sources, not from going into Comcast.
They flagged the guy as a scammer, too. Honor amongst thieves?
It's all in TFA

--
The "Civilized World" jumped the shark ca. 1973.