Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security The Internet

Social Search Reveals 700 Comcast Customer Logins 158

nandemoari writes "When educational technology specialist Kevin Andreyo recently read a report on people search engines, he decided to conduct a little 'people search' on himself. Andreyo did not expect to find much — so, imagine the surprise when he uncovered the user name and password to his Comcast Internet account, put out there for the entire online world to see. In addition to his personal information, Andreyo also discovered a list that exposed the user names and passwords of (what he believed) to be 8,000 other Comcast customers. Andreyo immediately contacted both Comcast and the FBI, hoping to find the ones responsible for divulging such personal information to the public. While the list is no longer available online, analysts fear that the document still lives on in various cache and online history services."
This discussion has been archived. No new comments can be posted.

Social Search Reveals 700 Comcast Customer Logins

Comments Filter:
  • by westyvw ( 653833 ) on Wednesday March 18, 2009 @09:03PM (#27250851)
    Who knew? Are these the same people who actually let Comcast install software on thier computers?

    --Nothing to do with the leak of passwords, just saying.....
    • Re: (Score:3, Informative)

      by furby076 ( 1461805 )
      It's actually quite simple. When the comcast person arrives at your house and installs the hardware they will want to install the software. Tell them no and to have them call their dispatch. They don't like to do it because now they have to wait on hold, get the person to manually activate the modem (why the software is not built into the modem is beyond me), and wait for it to start. Basically it means the comcast guy will be at your place for an additional 30 minutes. They will, however, not install it
  • by Anthony_Cargile ( 1336739 ) on Wednesday March 18, 2009 @09:04PM (#27250857) Homepage
    I wonder if that includes both home and business accounts. I'm sure you can Wayback [archive.org] the archive provided you have an original link or precise search terms, but this apparently affects quite a few people although the summary doesn't mention what exactly the revealed username/passwords are to.

    If I had to take a guess, I'd say email or online customer accounts (although I don't recall having one during my painful time with Comcast), which either opens up either a financial or spam-exploitable security issue, not sure which.

    ...In a nutshell: This is pretty bad, but how deep does it go and can Comcast be held responsible in any way?
    • and can Comcast be held responsible in any way?

      I love the sue happy mentality of our society. A better question "and should Comcast be held responsible..."
      Trust me I hate Comcast. My girlfriend laughs at me everytime I talk about comcast. Out of all the companies in the world I have dealt with - comcast is the worst (though a few months ago a comcast manager was so nice to me...no lie, I had a tear come to my eye).
      Sometimes accidents happen, rogue employees happen, or some other factor. You get them to fix the problem and move on.

    • One concern I'd have is that people often use the same password for all of their accounts. Skimming through the list of usernames and passwords that were released, it's amazing to me how simplistic the passwords are that people use. Straight-up dictionary works, nothing appended. Or just a dictionary word plus a digit or two.

  • by Anonymous Coward on Wednesday March 18, 2009 @09:14PM (#27250915)

    A few months ago, my wife received an "invite" from one of her friends regarding one of these "mom" social websites (I really wish that I could recall - but I can't) - picture sharing and all that doo-dah.

    Long story short, my constant geek bantering about "security" had finally gotten through to my wife - and she was using a different password for each website. What happened was astonishing: buried in the 58 page EULA, there was text about authorizing the site in question to logon to her supplied email account (e.g. - gmail.com) using the same supplied password. When my wife used a password that was not the same as her email account, the site simply asked her for it.

    In other words, the people who use the same password for everything would simply check the "I AGREE" box, which would authorize the new site to harvest their email contacts for the sake of spamming them. Since the generated emails would be coming from a known contact, it would become a plausible suggestion for each recipient (i.e. - better than unsolicited spam).

    I can imagine that sites like this would have no problem selling and/or posting this information publicly.

    • Re: (Score:3, Insightful)

      by Milkyfresh ( 1041360 )
      I'm more interested in the site that did this and the legality of them doing it. There is zero reason why a site needs your password to your e-mail account.
      • by yakatz ( 1176317 )
        They can do almost anything as long as it is there in writing. The reason they ask for your password is to get your contact list. That makes sense considering that the point of the site is to find out what your contacts are doing.
        • by z0idberg ( 888892 ) on Wednesday March 18, 2009 @09:44PM (#27251123)
          You're not understanding the issue. Yes facebook etc. ask for your email password to get your contact list, but the issue the OP is talking about (though who knows if its true given its an AC who cant recall the original site) is that the site tries to use your supplied email address and the password you use *for that particular site* to try and login to your email account and get your contact list. So you aren't prompted for your gmail/yahoo/hotmail password. They just try to login to your email using your supplied email address and the password for that site. Sneaky given most(?) people use the same password across a wide range of places.
          • by yakatz ( 1176317 )
            I dont know which site you are talking about, but spokeo tells you outright that they will use it to log in to your email.
          • I've encountered those sites before - facebook, myspace, etc. They specifically ask me "want us to use your yahoo, gmail, etc to contact your friends". One time I said yes and it brought up a list of all of my friends and then it said "who did you want us to contact". It was a very plain, and clear pop-up. You couldn't miss it and you had to check off names and click submit. Nothing underhanded or sneaky. Now are there sites who will do that - most likely - but the bigger named sites are not currently
        • by AvitarX ( 172628 )

          My understanding of EULA's in case law (IANAL, or even a legal geek) is that they are enforcable in so much as they say what everyone knows and expects to be there. SOme wacky clause would presumably not be then.

          This is for software, not services and may even be wrong, but whatever.

          Wikipedia gave no specifics, saying terms are pretty much case by case, and it focused strongly on software purchases.

        • by TheLink ( 130905 )
          "They can do almost anything as long as it is there in writing"

          If the Courts agree with you, then it's a matter of who writes the EULA equivalent of a nuke first.

          Heck, someone should write an EULA with really really ridiculous terms e.g. "You give us complete ownership over your organs after your death, and any derivative products".
      • I just want them to try. Having a domain with a catch-all account I just put @dwarfsoft.com and let them use that for a login. There is no attached real email account so they could never log in, even if they tried.

        Also, having different passwords (randomly generated and stored in a secure database, or in memory if you are that freaky) definitely helps :)

        • Re: (Score:3, Interesting)

          by Brickwall ( 985910 )
          I understand the need to have different logon/passwords, but geez - some sites are going nuts. My bank and my credit card company wanted to put me through TWO logons each, using different ID's and passwords. And of course, if you forget, neither of them will email you your password; you have to phone tech support, sit on hold for 10-20 minutes, and wait for tech support to reset the password, which takes another 20-30 minutes to take effect. So, just to check my card balance, what should have been a 30-seco
          • But I wish there was an easier way.

            If you use firefox, there is.

            Ask and ye shall receive. [passwordmaker.org]

    • Facebook is a "mom" social website now? (It prompts you for your gmail email address and password.)

      • by Anonymous Coward on Wednesday March 18, 2009 @09:41PM (#27251101)
        Yes. My mother, and all of her sisters have facebook, and use it as much as any 15 year old girls. It is scary.
      • by Potor ( 658520 )
        Not quite: it asks for your email address, and your FACEBOOK password (not your email password).
        • Re: (Score:3, Informative)

          by fractoid ( 1076465 )
          Actually, what the GPP is referring to is that when you create a Facebook account, it allows you to enter your email password for a few of the major webmail providers (GMail, Hotmail, can't remember the others), trawls through your contact list and/or inbox, and gives you a list of people you've contacted via email who also have facebook accounts. It's a convenient (albeit scary from the security PoV) way to populate your friend list for a new account.
    • by Renraku ( 518261 )

      And why should they have a problem with it?

      I don't think it has caused any trouble for any company as of yet. As far as they know, its practically free advertising. People see that a friend is inviting them to the site, and they're more likely to subscribe themselves.

      Its like those pain in the ass sites that offer to post on your Facebook for you when you've done something at their site.

    • Twitter also seems to do this. I even skipped the step where it asked to log into my other accounts, but it still seemed to check my MSN account (using the same password) and automatically make me follow the twitter of someone from my contact's list.

      • UH.... I'm sorry but that seems a bit too difficult to believe. I'm gonna say that you are spreading FUD here.
    • Wow, that is scary. All the more ammo to preach to people to use unique passwords.

      Of course, even if you can train those folks to use unique passwords, you still have to train them not to give out account info where it doesn't belong. They'd probably just as easily give out the email account password unless educated. Gmail, etc., needs to add to their EULA that it is against their policy for you to share you account password.

      What they (Google, etc.) should set up is a "safe" way to allow you to let sites

  • Not the first time (Score:5, Informative)

    by Anonymous Coward on Wednesday March 18, 2009 @09:28PM (#27251017)

    I worked for comcast about 8 years ago and at the time they had a Remedy test account they used for various stuff. One day I decided to login to the ftp using the remedy account and sitting there was a year old file with every subscriber's login and password. And since the ftp site was the account's web site home folder, these were just sitting there available to everyone.

  • Customers and the people like them are the people your data is sold over.
    As a consumer, you are one of many.
    Even if someone does care, its a quick fix and back to a race to the bottom.
    Security is for paying equals, the people you cannot not afford to upset.
    Paying a consumer data 'fine' every so often and a slick PR release is cheaper than real expensive on going prevention.
    If congress or any other gov entity cares, any company can swear they have the best security in place..
    Just not everywhere, all the
  • by bogaboga ( 793279 ) on Wednesday March 18, 2009 @09:45PM (#27251133)

    While the list is no longer available online, analysts fear that the document still lives on in various cache and online history services."

    I would like to know whether my details are on that list. Question is: How do I get a hold of that list? How do I access data from the so called caches?

    • That's probably the wrong question, or wrong way to find out, especially if you do not wish to become suspect, a lot of people would interpret that as a ploy to get a hold of the list for malicious interests.

      The best, or rather the first option would be to call your local Comcast ISP, and ask them if your details are on the leaked list (as they should have the list in some form). When that (likely) fails, then go hunting, or possibly try contacting Mr. Andreyo, although I'm sure he's now receiving about 100

      • Why take any chances? Just assume your account has been compromised. Whether or not you are a victim, you should change your password today. That takes care of it, without you having to do any follow-up research.

        Also, make a habit of using encryption for all your email correspondence, regardless of sensitivity. If all your communication is encrypted, it doesn't matter how important or private it is, it will be protected.

      • by Ironica ( 124657 )

        The best, or rather the first option would be to call your local Comcast ISP, and ask them if your details are on the leaked list (as they should have the list in some form).

        Actually, the FIRST thing you should do if you have a Comcast account is CHANGE YOUR PASSWORD. Also, change your password for any accounts that use the same password.

    • Re: (Score:1, Informative)

      by Anonymous Coward

      | | | | | | | hoagfamily5@comcast.net | kentlake amyleslie@comcast.net | go60852 amyleslie@comcast.net | go60852 Corbettclan5@comcast.net | JFKHS2005 divinedsd@comcast.net | go51137 mryoung1@comcast.net | go51244 mryoung1@comcast.net | go51244 g.galifianakis@comcast.net gortys74 3067 despinad@comcast.net methodios1 2519 dorgan@comcast.net trucks99 2462 Tzannetakis@comcast.net georgios 1307 www.yanninik@comcast.net yanni woodyrn@comcast.net ipcorder woodyrn@comcast.net pilot08 rmayer04@comcast.net millwright

    • A court ordered subpeona is the only way comcast will release information about that list. What you would need to do is sue comcast for the list stating, in the law suit, users who are on the list should be notified.
    • by TheLink ( 130905 )
      Why not just change your password? Even if it's not in that particular document, it might be in other similar documents, this might not be a one-off mistake.

      Or are you trying to figure out whether you can sue them? ;)
  • Password lists (Score:5, Interesting)

    by JWSmythe ( 446288 ) <jwsmythe@@@jwsmythe...com> on Wednesday March 18, 2009 @09:50PM (#27251171) Homepage Journal

        I remember in the good ol' days of dialup, folks (now known as script kiddies) would pound on the dialups with common username:password combinations until they found one. Those lists would float around. I've seen lists of thousands of valid usernames. The folks who got them would use the now "free" dialup until the customer finally canceled. Of course, those usernames were the same as the email address (like foo@aol.com), so in theory you had their email address too. If you hopped in the right IRC channel and chatted for a few minutes, you could get your hands on a different list pretty quickly.

        I saw other comments saying that this was just Comcast insecurity, but it brought back memories. :)

    • Re: (Score:3, Interesting)

      Easier than that, over my 16.8k connection I would ping scan port 80. 99.9% of the port 80s that were open were routers that served internal networks. The geniuses at the router company decided that shadowing the password on the config page was enough.

      Little did they know I was a Haxxor that knew how to "View Page Source".

      So many accounts from that...

    • by adolf ( 21054 )

      Back in the day, my ISP had a Unix box (I forget the flavor). It was their web server, their FTP server, their mail server, and so on. /etc/passwd was wide-open, and non-shadowed.

      I leave the rest for the imagination.

    • Did people really bother doing that? Most of the dial-up ISPs had an account that was intended for testing and didn't enforce a connection limit, which was a lot more reliable. I remember one local computer shop setting up every machine that left with this account on the Yahoo! ISP so all of their customers got free dial-up Internet.
    • by tibman ( 623933 )

      When i was a kid i figured out that you could manually dial Compuserve numbers and not "login". They wouldn't kick you for 2 hrs. I had a sweet IBM Thinkpad and Compuserve was damn near everywhere.. it was great when traveling around. A 1-800 number would tell me the local compuserve dial up too. That internet was a different world from this one though.

  • by tthomas48 ( 180798 ) on Wednesday March 18, 2009 @09:54PM (#27251197)

    Have a really, really common name.

    • by tb3 ( 313150 )

      The problem with that is that it's damn hard to audit.

      I have a very uncommon name. I plugged it into those search sites linked in TFA, and 99% of the search results were definitely about me. And nothing sordid or embarrassing came up.

      So as long as you're careful you can still stay anonymous on the web.

  • by feepness ( 543479 ) on Wednesday March 18, 2009 @10:09PM (#27251255)
    So I'm trying to log on to Comcast to look at my bill. It's one of those places you log on every three years or so, so I can't remember anything about the account. I gave them my name and they give me a secret question asking "What is your favorite drink?" Well who the hell has a special favorite drink? So I plug in a few answers and finally try "milk". Bingo, I'm in. Change the password to my standard website name hash, poke around, get confused, and realize... wait a second... this isn't my account. My name is fairly rare, but I guess not rare enough. I don't really have any way of resetting it to what it was before, and for some reason there was no email verification involved. So I whistled quietly as I closed the window and called customer service instead.
    • So I'm trying to log on to Comcast to look at my bill. It's one of those places you log on every three years or so, so I can't remember anything about the account. I gave them my name and they give me a secret question asking "What is your favorite drink?" Well who the hell has a special favorite drink? So I plug in a few answers and finally try "milk". Bingo, I'm in. Change the password to my standard website name hash, poke around, get confused, and realize... wait a second... this isn't my account. My name is fairly rare, but I guess not rare enough.

      I don't really have any way of resetting it to what it was before, and for some reason there was no email verification involved. So I whistled quietly as I closed the window and called customer service instead.

      Bad idea. They'll probably remember you as "that weird guy that insisted on using Linux/not using Windows/what-have-you" and accuse you of "hacking".

      • Re: (Score:1, Insightful)

        by Anonymous Coward
        Presumably he called just to ask about the question he had about his account, instead of telling them about the hacking.
        • Presumably he called just to ask about the question he had about his account, instead of telling them about the hacking.

          Yes, not much of a point in telling them about it. I just decided they weren't quite internet ready and relied on phone instead.

      • They'll probably remember you as "that weird guy that insisted on using Linux/not using Windows/what-have-you" and accuse you of "hacking".

        Considering his subject said "I haxxored Comcast" he admitted to doing it. Don't worry he will get a reduced sentence for coming clean.

    • by Phroggy ( 441 )

      I wonder how long it will be before people figure out that "secret questions" are such a huge security hole.

      • Re: (Score:3, Insightful)

        by TheRaven64 ( 641858 )
        Security questions are not too bad. The worst things are things like one of my banks which insists on asking me my date of birth and mother's maiden name when I log in. Both of these are public-domain information and can be accessed in a searchable form for a very small fee (or free if you bother collecting them all yourself from the various registries), but they seem to be under the impression that it adds some security.
      • Just run the answers through a good hAsh function. Yeah it's an extra step, but you don't answer security questions that often and that way people don't know our favorite drink. Not completely secure if the attacker knows your hash function but I longer low hangng fruit
        • Re: (Score:3, Funny)

          by Ironica ( 124657 )

          Not completely secure if the attacker knows your hash function but I longer low hangng fruit

          Or you could just use the last five words as your secret passphrase, and no one would ever get it because it's apparently a totally random combination of words and letters.

        • by HTH NE1 ( 675604 )

          Just run the answers through a good hAsh function.

          That's great until some web admin decides to rephrase the question.

      • I've basically established a standard answer to any security question and use it universally, regardless of the question. Effectively, it's like having yet another password to remember, but it works well enough.

        Still, I agree with the general sentiment -- especially when the question is such a basic thing as 'your favorite color'.

      • One of my charge card accounts actually asked me that. If I answered correctly, all my childhood friends and enemies are in.

  • I can't seem to find the link to the page with the passwords, seems their servers weren't up to slashdot.
    Can someone post google cache link please?
    • Re: (Score:1, Informative)

      by Anonymous Coward

      http://66.218.69.11/search/cache?ei=UTF-8&p=%22ComCast+Mail%22++Kevin+Andreyo&fr=yfp-t-501&u=www.scribd.com/doc/9723141/ComCast-Mail&w=%22comcast+mail%22+kevin+andreyo&d=ZjZ_Sp2uSYep&icp=1&.intl=us

  • Heavily encrypted? (Score:3, Interesting)

    by ub3r n3u7r4l1st ( 1388939 ) * on Wednesday March 18, 2009 @10:34PM (#27251399)

    If, according to comcast, the password are heavily encrypted, how the hell someone can find it in clear text?

    That means someone or something in somewhere store these information in clear text to begin with.

  • I mean the following statement with little to no sarcasm at all. How many of you will believe that is a different story.

    I have Slashdot to thank once again for saving me at the last minute from switching from Verizon to Comcast.

  • I bet will be around a lot of messages reporting pretty much what the article say, telling the user that his password was disclosed, and asking to change their password at www.comcast.com.etc.hacksite.com/resetpassword.php.

    There is always space to make a bad situation far worse
    • My name could be on that list and I wouldn't care. Last time comcast came around (to replace my broken cable modem) the guy said I was one of their oldest customers using their very out-of-date system. They had to delete my account and recreate it from scratch. My old account was before they issued usernames/passwords. When they asked me what I wanted my username/password to be I looked at the guy and asked him why do I need it. He said for comcast e-mail. I told him I've survived without comcast e-mai
      • by gmuslera ( 3436 )
        What if your username/pw could do something for you, like up/downgrading your connection (or cutting it) or ordering things which chargues that goes against your acount? You couldnt worry about that identity theft regarding the rest of the world, but what about Comcast (and maybe Comcast partners) in particular?
        • by TheLink ( 130905 )
          Well maybe he could go before a jury of his peers, and say "I didn't do that, it must have been someone using my account".

          And most of the jurors would believe him, since they'd have been phished/keylogged/pwned/comcasted[1] before or knew someone who had.

          [1] Comcasting is the broadcasting of your usernames and passwords.
  • by carlzum ( 832868 ) on Wednesday March 18, 2009 @11:50PM (#27251809)
    I have to believe Comcast is telling the truth and some kind of malware is to blame. Over my many years in corporate IT departments, I've seen customer information handled poorly in many way. But an application storing passwords in clear text? I can honestly say I've never seen that happen. Maybe in some homegrown internal application, but not a customer-facing web site in the post-SOX era. A company as big as Comcast is certainly using third-party authentication software. They would have to go out of their way to capture passwords.

    If this document is traced back to Comcast they're guilty of more than simple incompetence, they engaged in deliberate unethical behavior.
    • http://advogato.org/ [advogato.org] stores their passwords in plaintext, or at least in non-hash form. I think it's more common than you believe.

    • Re: (Score:3, Insightful)

      by Lord Ender ( 156273 )

      I work at a software company. In security.

      The software engineering team is absolutely certain they don't want corporate IT security anywhere near their precious development process. We would just slow things down. So they all put "security expert" on their resumes and said they don't need us, they know what they're doing, etc..

      Yeah, every app they use has totally botch authentication--plaintext password storage, unsalted hashes--you name the security mistake, these "expert" developers ship it in our top-dol

      • by carlzum ( 832868 )
        I have some advice for your software team from a fellow developer, when you're the sole contributer to the software's security design you assume the risk as well. Let the security experts define the functional requirements and focus on the implementation.

        Security involves more than encrypting passwords and defining some roles. Thorough auditing, timely alerts, and granular data control are mandated by regulations like SOX and HIPAA. A cavalier, do-it-yourself attitude puts you and your company at risk.
    • Of course they're going to blame malware or a third party. They just did a complete re-design of their web-based email system about three weeks ago. System was down for maintenance for a few hours late one night while they moved everything to the new servers. All Comcast customers were notified about the change about a week in advance. I think they sent two or three messages, boasting about all the great changes that were in store for us on the horizon after the new mail system was in place. Chances ar

    • by Ironica ( 124657 )

      I have to believe Comcast is telling the truth and some kind of malware is to blame.

      Malware where? On their installation CD? Because this is a list only of Comcast accounts... so the malware would either have to be targeting Comcast users on their own computers (so, the installation CD provided by the ISP) or it's getting the info from Comcast's computers... which would mean that they're storing passwords in plaintext.

      • by carlzum ( 832868 )
        A keylogger or spyware that reads the browser's auto-complete history could do it. There's even a shareware application [download3000.com] that targets Comcast customers which claims to unmask saved passwords in your browser. The fact that this seems limited to Comcast logins is very suspicious. If they are responsible, they deserve to be punished to the greatest extent possible.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...