Social Search Reveals 700 Comcast Customer Logins

nandemoari writes "When educational technology specialist Kevin Andreyo recently read a report on people search engines, he decided to conduct a little 'people search' on himself. Andreyo did not expect to find much — so, imagine the surprise when he uncovered the user name and password to his Comcast Internet account, put out there for the entire online world to see. In addition to his personal information, Andreyo also discovered a list that exposed the user names and passwords of (what he believed) to be 8,000 other Comcast customers. Andreyo immediately contacted both Comcast and the FBI, hoping to find the ones responsible for divulging such personal information to the public. While the list is no longer available online, analysts fear that the document still lives on in various cache and online history services."

Comcast has Passwords?

[westyvw]

Who knew? Are these the same people who actually let Comcast install software on thier computers?

--Nothing to do with the leak of passwords, just saying.....

Re:

[furby076]

It's actually quite simple. When the comcast person arrives at your house and installs the hardware they will want to install the software. Tell them no and to have them call their dispatch. They don't like to do it because now they have to wait on hold, get the person to manually activate the modem (why the software is not built into the modem is beyond me), and wait for it to start. Basically it means the comcast guy will be at your place for an additional 30 minutes. They will, however, not install it

Re:

[afidel]

All the ISP's do that and as I have told my friends and family repeatedly over the years, DON'T under any circumstances let the installer near your PC with that thing, it's not needed and can only lead to problems.

Re:Comcast has Passwords?

[JWSmythe]

    I've moved around a lot, and each time they've tried. They've also been insistent that I have a Windows machine for them to install with. I used to keep a spare Windows box handy just for the installs. Usually I could talk them out of touching the machine. Two insisted, and finally made me sign a waiver that I refused, but the connection worked so I didn't care. One blatantly refused to do the install without putting the CD in. I was happy that it was a spare machine I didn't care about. It came offline, and I put my Linux machine up just after they walked out the door. It had a nice clean install of Win98 on it, so they got absolutely no personal information. I wiped it later on, just in case I needed it again for something.

   

Re:

[AvitarX]

I hide my computers for it (I have just moved after all).

The modem needs to be activated, and the CD can do it, but they can do it remotely too. So I just tell them I want internet for my Xbox, but don't have a computer set up yet. They oblige.

I'm pretty sure they would have done it if I just said I didn't want to install the software on the phone, but I didn't want to risk it.

I called a more local office directly though, and they are always polite and helpful (found a local non 800 number).

Re:

[morghanphoenix]

Yeah, I called them and said I was unable to install the software as I didn't have a computer runnign Windows. Took a few minutes of them setting up the account remotely, giving me the new password, and then changing it online. I was completely unwilling to subject my wife's XP box to what I've seen on people's computers who were dumb enough to actually put that CD in the drive. It was really simple to avoid installing it, and nobody asked me to sign a waiver, of course I was doing a self-install and only c

Re:

[Lord Ender]

While Time Warner, the local cable company, has never tried to force me to install their crapware; if they tried, I would have no trouble handing them my netbook (which lacks an optical drive).

Re:

[Ironica]

While Time Warner, the local cable company, has never tried to force me to install their crapware; if they tried, I would have no trouble handing them my netbook (which lacks an optical drive).

Yeah... TW didn't try to install anything on our computers, either. They used the computer briefly to check that the connection was working, but that's it. No CDs involved.

But as back-up measures, my main box is Linux *and* my optical drives are hidden under a black canvas baby-proofing cover. ;-) Baffles adults even more than the toddlers.

Re:

[Golddess]

And if the tech had a USB CD/DVD-ROM on hand? :P

Re:

[tibman]

I've done a cable install twice now and just having your linux machine there will prevent them from doing anything. The guy will walk over and say, oh, you don't have windows? Then he'll call in all the numbers on his phone.. that's it! done.

Re:

[jroysdon]

I just have a blank WinXP VM image I give them access to full-screen and in bridged mode. They want local admin access to do their thing, and no way would I give them that even in my WinXP regular personal VM images.

No big deal, it just worked and let them do what they needed to do. When they were done, I just nuked the VM image.

How far is it spread?

[Anthony_Cargile]

I wonder if that includes both home and business accounts. I'm sure you can Wayback [archive.org] the archive provided you have an original link or precise search terms, but this apparently affects quite a few people although the summary doesn't mention what exactly the revealed username/passwords are to.

If I had to take a guess, I'd say email or online customer accounts (although I don't recall having one during my painful time with Comcast), which either opens up either a financial or spam-exploitable security issue, not sure which.

...In a nutshell: This is pretty bad, but how deep does it go and can Comcast be held responsible in any way?

Re:

[furby076]

and can Comcast be held responsible in any way?

I love the sue happy mentality of our society. A better question "and should Comcast be held responsible..."
Trust me I hate Comcast. My girlfriend laughs at me everytime I talk about comcast. Out of all the companies in the world I have dealt with - comcast is the worst (though a few months ago a comcast manager was so nice to me...no lie, I had a tear come to my eye).
Sometimes accidents happen, rogue employees happen, or some other factor. You get them to fix the problem and move on.

Re:

[jroysdon]

One concern I'd have is that people often use the same password for all of their accounts. Skimming through the list of usernames and passwords that were released, it's amazing to me how simplistic the passwords are that people use. Straight-up dictionary works, nothing appended. Or just a dictionary word plus a digit or two.

Aggressive Social Sites

[Anonymous Coward]

A few months ago, my wife received an "invite" from one of her friends regarding one of these "mom" social websites (I really wish that I could recall - but I can't) - picture sharing and all that doo-dah.

Long story short, my constant geek bantering about "security" had finally gotten through to my wife - and she was using a different password for each website. What happened was astonishing: buried in the 58 page EULA, there was text about authorizing the site in question to logon to her supplied email account (e.g. - gmail.com) using the same supplied password. When my wife used a password that was not the same as her email account, the site simply asked her for it.

In other words, the people who use the same password for everything would simply check the "I AGREE" box, which would authorize the new site to harvest their email contacts for the sake of spamming them. Since the generated emails would be coming from a known contact, it would become a plausible suggestion for each recipient (i.e. - better than unsolicited spam).

I can imagine that sites like this would have no problem selling and/or posting this information publicly.

Re:

[Milkyfresh]

I'm more interested in the site that did this and the legality of them doing it. There is zero reason why a site needs your password to your e-mail account.

Re:

[yakatz]

They can do almost anything as long as it is there in writing. The reason they ask for your password is to get your contact list. That makes sense considering that the point of the site is to find out what your contacts are doing.

Re:Aggressive Social Sites

[z0idberg]

You're not understanding the issue. Yes facebook etc. ask for your email password to get your contact list, but the issue the OP is talking about (though who knows if its true given its an AC who cant recall the original site) is that the site tries to use your supplied email address and the password you use *for that particular site* to try and login to your email account and get your contact list. So you aren't prompted for your gmail/yahoo/hotmail password. They just try to login to your email using your supplied email address and the password for that site. Sneaky given most(?) people use the same password across a wide range of places.

Re:

[yakatz]

I dont know which site you are talking about, but spokeo tells you outright that they will use it to log in to your email.

Re:

[rhizome]

who's talking about "spokeo" (whatever that is), besides you?

Re:

[furby076]

I've encountered those sites before - facebook, myspace, etc. They specifically ask me "want us to use your yahoo, gmail, etc to contact your friends". One time I said yes and it brought up a list of all of my friends and then it said "who did you want us to contact". It was a very plain, and clear pop-up. You couldn't miss it and you had to check off names and click submit. Nothing underhanded or sneaky. Now are there sites who will do that - most likely - but the bigger named sites are not currently

Re:

[AvitarX]

My understanding of EULA's in case law (IANAL, or even a legal geek) is that they are enforcable in so much as they say what everyone knows and expects to be there. SOme wacky clause would presumably not be then.

This is for software, not services and may even be wrong, but whatever.

Wikipedia gave no specifics, saying terms are pretty much case by case, and it focused strongly on software purchases.

Re:

[TheLink]

"They can do almost anything as long as it is there in writing"

If the Courts agree with you, then it's a matter of who writes the EULA equivalent of a nuke first.

Heck, someone should write an EULA with really really ridiculous terms e.g. "You give us complete ownership over your organs after your death, and any derivative products".

Re:

[dwarfsoft]

I just want them to try. Having a domain with a catch-all account I just put @dwarfsoft.com and let them use that for a login. There is no attached real email account so they could never log in, even if they tried.

Also, having different passwords (randomly generated and stored in a secure database, or in memory if you are that freaky) definitely helps :)

Re:

[Brickwall]

I understand the need to have different logon/passwords, but geez - some sites are going nuts. My bank and my credit card company wanted to put me through TWO logons each, using different ID's and passwords. And of course, if you forget, neither of them will email you your password; you have to phone tech support, sit on hold for 10-20 minutes, and wait for tech support to reset the password, which takes another 20-30 minutes to take effect. So, just to check my card balance, what should have been a 30-seco

Re:

[geminidomino]

But I wish there was an easier way.

If you use firefox, there is.

Ask and ye shall receive. [passwordmaker.org]

Re:

[pwizard2]

a tip i read once was to use word / thought association to create unique, but repeatable passwords, ie for root at work you could but use carrot@streetname or turnip@town or whatever, root at home would be carrot@homebox, etc just something you can remember. or if you use b'day or somesuch, put b'day$sitename.

Passwords like the samples you provided seem really vulnerable to dictionary attacks.

Re:

[VGPowerlord]

Facebook is a "mom" social website now? (It prompts you for your gmail email address and password.)

Re:Aggressive Social Sites

[Anonymous Coward]

Yes. My mother, and all of her sisters have facebook, and use it as much as any 15 year old girls. It is scary.

Re:

[Potor]

Not quite: it asks for your email address, and your FACEBOOK password (not your email password).

Re:

[fractoid]

Actually, what the GPP is referring to is that when you create a Facebook account, it allows you to enter your email password for a few of the major webmail providers (GMail, Hotmail, can't remember the others), trawls through your contact list and/or inbox, and gives you a list of people you've contacted via email who also have facebook accounts. It's a convenient (albeit scary from the security PoV) way to populate your friend list for a new account.

Re:

[fractoid]

It's entirely possible that this is, in fact, what I was talking about. :P I didn't dig into the source to see if it was actually beer or Facebook. Um, I mean Google or Facebook. I'm waiting for my wife to come back with my beer. Life is good! ;)

Re:

[Renraku]

And why should they have a problem with it?

I don't think it has caused any trouble for any company as of yet. As far as they know, its practically free advertising. People see that a friend is inviting them to the site, and they're more likely to subscribe themselves.

Its like those pain in the ass sites that offer to post on your Facebook for you when you've done something at their site.

Re:

[Agent ME]

Twitter also seems to do this. I even skipped the step where it asked to log into my other accounts, but it still seemed to check my MSN account (using the same password) and automatically make me follow the twitter of someone from my contact's list.

Re:

[charlesnw]

UH.... I'm sorry but that seems a bit too difficult to believe. I'm gonna say that you are spreading FUD here.

Re:

[jroysdon]

Wow, that is scary. All the more ammo to preach to people to use unique passwords.

Of course, even if you can train those folks to use unique passwords, you still have to train them not to give out account info where it doesn't belong. They'd probably just as easily give out the email account password unless educated. Gmail, etc., needs to add to their EULA that it is against their policy for you to share you account password.

What they (Google, etc.) should set up is a "safe" way to allow you to let sites

Re:Aggressive Social Sites

[Antique Geekmeister]

And you believe them about safely handling your password and never storing or selling it for other uses, why?

Not the first time

[Anonymous Coward]

I worked for comcast about 8 years ago and at the time they had a Remedy test account they used for various stuff. One day I decided to login to the ftp using the remedy account and sitting there was a year old file with every subscriber's login and password. And since the ftp site was the account's web site home folder, these were just sitting there available to everyone.

Consumer

[AHuxley]

Customers and the people like them are the people your data is sold over.
As a consumer, you are one of many.
Even if someone does care, its a quick fix and back to a race to the bottom.
Security is for paying equals, the people you cannot not afford to upset.
Paying a consumer data 'fine' every so often and a slick PR release is cheaper than real expensive on going prevention.
If congress or any other gov entity cares, any company can swear they have the best security in place..
Just not everywhere, all the

How do I establish whether I am still a victim?

[bogaboga]

While the list is no longer available online, analysts fear that the document still lives on in various cache and online history services."

I would like to know whether my details are on that list. Question is: How do I get a hold of that list? How do I access data from the so called caches?

Re:

[Vectronic]

That's probably the wrong question, or wrong way to find out, especially if you do not wish to become suspect, a lot of people would interpret that as a ploy to get a hold of the list for malicious interests.

The best, or rather the first option would be to call your local Comcast ISP, and ask them if your details are on the leaked list (as they should have the list in some form). When that (likely) fails, then go hunting, or possibly try contacting Mr. Andreyo, although I'm sure he's now receiving about 100

Re:

[Bourbonium]

Why take any chances? Just assume your account has been compromised. Whether or not you are a victim, you should change your password today. That takes care of it, without you having to do any follow-up research.

Also, make a habit of using encryption for all your email correspondence, regardless of sensitivity. If all your communication is encrypted, it doesn't matter how important or private it is, it will be protected.

Re:

[Ironica]

The best, or rather the first option would be to call your local Comcast ISP, and ask them if your details are on the leaked list (as they should have the list in some form).

Actually, the FIRST thing you should do if you have a Comcast account is CHANGE YOUR PASSWORD. Also, change your password for any accounts that use the same password.

Re:

[Anonymous Coward]

| | | | | | | hoagfamily5@comcast.net | kentlake amyleslie@comcast.net | go60852 amyleslie@comcast.net | go60852 Corbettclan5@comcast.net | JFKHS2005 divinedsd@comcast.net | go51137 mryoung1@comcast.net | go51244 mryoung1@comcast.net | go51244 g.galifianakis@comcast.net gortys74 3067 despinad@comcast.net methodios1 2519 dorgan@comcast.net trucks99 2462 Tzannetakis@comcast.net georgios 1307 www.yanninik@comcast.net yanni woodyrn@comcast.net ipcorder woodyrn@comcast.net pilot08 rmayer04@comcast.net millwright

Re:

[sd.fhasldff]

They recommend setting the maximum password age to 42 days too.

Anyone who has ever worked in IT, or has a bit of common sense, knows that the result of such a policy is that every employee has a post-it with their password on or near their monitor.

Re:

[Fred_A]

They recommend setting the maximum password age to 42 days too. And the default is to remember the last 24 passwords and stop people reusing them.

And that's when PostIts start to appear because people are fed up with remembering a new variant of "89fZ#9I$" every month.
So you've substituted one security problem for another.

Password expiration isn't all that it's cracked up to be.

Re:

[Ironica]

Well then they shouldn't choose passwords they can't remember.

So they're supposed to:

* Choose a different password for each application (since one of them might be compromised);
* Choose a new password every 42 days or less;
* Not use any of the last 24 passwords

Just *how* many passwords do you want them to remember?

I have a password which is a nonsense phrase with a few of the letters changed to numbers and some punctuation. Each time I need to change it I increment one of the numbers.

E.g. IHeardYouL1ekFoob1es@12, IHeardYouL1ekFoob1es@13 and so on.

So, if someone gets a hold of your password, and then it auto-expires, they're defeated... unless they increment the last digit or two. You're right! That's so incredibly secure!

Except, not. If your nonsense phrase is compromised, your entire password sch

Re:

[Ironica]

Well they don't know which of the digits in the password should be incremented. If there are more than three of them they will run out of guesses.

But then *you* have to keep track of which of the sets of digits that appear to be simply appended to the passphrase are the incremented ones, and what number you're on. Again, you have to remember something... or write it down on a post-it stuck to your monitor.

But (and this is obvious if you'd thought about it) that doesn't matter, if they got hold of one password they could change it to whatever they wanted. Password expiry doesn't help at all in that case, the game is lost.

What password expiry does help with is passwords that are compromised, but where the hacker wishes to keep that a secret and use the compromised account to gain access and gather information in ways that are not detected, more than once over a peri

Re:

[HTH NE1]

Throw in one more rule:

* The password does not contain three or more characters used in any of the 24 previous passwords

Assuming that the average user doesn't know how to enter Unicode characters (effectively reducing to 4 categories) and doesn't even repeat a character in a single password...

Will the user run out of possible new passwords within 24 iterations of this policy?

Re:

[furby076]

A court ordered subpeona is the only way comcast will release information about that list. What you would need to do is sue comcast for the list stating, in the law suit, users who are on the list should be notified.

Re:

[TheLink]

Why not just change your password? Even if it's not in that particular document, it might be in other similar documents, this might not be a one-off mistake.

Or are you trying to figure out whether you can sue them? ;)

Password lists

[JWSmythe]

    I remember in the good ol' days of dialup, folks (now known as script kiddies) would pound on the dialups with common username:password combinations until they found one. Those lists would float around. I've seen lists of thousands of valid usernames. The folks who got them would use the now "free" dialup until the customer finally canceled. Of course, those usernames were the same as the email address (like foo@aol.com), so in theory you had their email address too. If you hopped in the right IRC channel and chatted for a few minutes, you could get your hands on a different list pretty quickly.

    I saw other comments saying that this was just Comcast insecurity, but it brought back memories. :)

Re:

[0100010001010011]

Easier than that, over my 16.8k connection I would ping scan port 80. 99.9% of the port 80s that were open were routers that served internal networks. The geniuses at the router company decided that shadowing the password on the config page was enough.

Little did they know I was a Haxxor that knew how to "View Page Source".

So many accounts from that...

Re:

[adolf]

Back in the day, my ISP had a Unix box (I forget the flavor). It was their web server, their FTP server, their mail server, and so on. /etc/passwd was wide-open, and non-shadowed.

I leave the rest for the imagination.

Re:

[TheRaven64]

Did people really bother doing that? Most of the dial-up ISPs had an account that was intended for testing and didn't enforce a connection limit, which was a lot more reliable. I remember one local computer shop setting up every machine that left with this account on the Yahoo! ISP so all of their customers got free dial-up Internet.

Re:

[tibman]

When i was a kid i figured out that you could manually dial Compuserve numbers and not "login". They wouldn't kick you for 2 hrs. I had a sweet IBM Thinkpad and Compuserve was damn near everywhere.. it was great when traveling around. A 1-800 number would tell me the local compuserve dial up too. That internet was a different world from this one though.

Best Way To Stay Anonymous?

[tthomas48]

Have a really, really common name.

Re:

[tb3]

The problem with that is that it's damn hard to audit.

I have a very uncommon name. I plugged it into those search sites linked in TFA, and 99% of the search results were definitely about me. And nothing sordid or embarrassing came up.

So as long as you're careful you can still stay anonymous on the web.

Re:

[VeNoM0619]

That's not what he's talking about. I'll give you an example. Look me up on google and tell me what you find. My name is Mike Smith.

Yea.. well look ME up on google, my name is Mike Hunt!

I haxxored Comcast...

[feepness]

So I'm trying to log on to Comcast to look at my bill. It's one of those places you log on every three years or so, so I can't remember anything about the account. I gave them my name and they give me a secret question asking "What is your favorite drink?" Well who the hell has a special favorite drink? So I plug in a few answers and finally try "milk". Bingo, I'm in. Change the password to my standard website name hash, poke around, get confused, and realize... wait a second... this isn't my account. My name is fairly rare, but I guess not rare enough. I don't really have any way of resetting it to what it was before, and for some reason there was no email verification involved. So I whistled quietly as I closed the window and called customer service instead.

Re:

[Thinboy00]

So I'm trying to log on to Comcast to look at my bill. It's one of those places you log on every three years or so, so I can't remember anything about the account. I gave them my name and they give me a secret question asking "What is your favorite drink?" Well who the hell has a special favorite drink? So I plug in a few answers and finally try "milk". Bingo, I'm in. Change the password to my standard website name hash, poke around, get confused, and realize... wait a second... this isn't my account. My name is fairly rare, but I guess not rare enough.

I don't really have any way of resetting it to what it was before, and for some reason there was no email verification involved. So I whistled quietly as I closed the window and called customer service instead.

Bad idea. They'll probably remember you as "that weird guy that insisted on using Linux/not using Windows/what-have-you" and accuse you of "hacking".

Re:

[Anonymous Coward]

Presumably he called just to ask about the question he had about his account, instead of telling them about the hacking.

Re:

[feepness]

Presumably he called just to ask about the question he had about his account, instead of telling them about the hacking.

Yes, not much of a point in telling them about it. I just decided they weren't quite internet ready and relied on phone instead.

Re:

[furby076]

They'll probably remember you as "that weird guy that insisted on using Linux/not using Windows/what-have-you" and accuse you of "hacking".

Considering his subject said "I haxxored Comcast" he admitted to doing it. Don't worry he will get a reduced sentence for coming clean.

Re:

[Phroggy]

I wonder how long it will be before people figure out that "secret questions" are such a huge security hole.

Re:

[TheRaven64]

Security questions are not too bad. The worst things are things like one of my banks which insists on asking me my date of birth and mother's maiden name when I log in. Both of these are public-domain information and can be accessed in a searchable form for a very small fee (or free if you bother collecting them all yourself from the various registries), but they seem to be under the impression that it adds some security.

Re:

[Ironica]

I think he was trying to drop hints about what he uses as his mother's maiden name.

Re:

[trentblase]

Just run the answers through a good hAsh function. Yeah it's an extra step, but you don't answer security questions that often and that way people don't know our favorite drink. Not completely secure if the attacker knows your hash function but I longer low hangng fruit

Re:

[Ironica]

Not completely secure if the attacker knows your hash function but I longer low hangng fruit

Or you could just use the last five words as your secret passphrase, and no one would ever get it because it's apparently a totally random combination of words and letters.

Re:

[HTH NE1]

Just run the answers through a good hAsh function.

That's great until some web admin decides to rephrase the question.

Re:

[TriezGamer]

I've basically established a standard answer to any security question and use it universally, regardless of the question. Effectively, it's like having yet another password to remember, but it works well enough.

Still, I agree with the general sentiment -- especially when the question is such a basic thing as 'your favorite color'.

What street did you grow up on?

[siriuskase]

One of my charge card accounts actually asked me that. If I answered correctly, all my childhood friends and enemies are in.

Slashdotted...

[rockNme2349]

I can't seem to find the link to the page with the passwords, seems their servers weren't up to slashdot.
Can someone post google cache link please?

Re:

[Anonymous Coward]

http://66.218.69.11/search/cache?ei=UTF-8&p=%22ComCast+Mail%22++Kevin+Andreyo&fr=yfp-t-501&u=www.scribd.com/doc/9723141/ComCast-Mail&w=%22comcast+mail%22+kevin+andreyo&d=ZjZ_Sp2uSYep&icp=1&.intl=us

Re:

[Hal_Porter]

I shall notify the people who have critically weak passwords by email.

Re:

[HTH NE1]

I shall notify the people who have critically weak passwords by email.

From themselves?

Heavily encrypted?

[ub3r n3u7r4l1st]

If, according to comcast, the password are heavily encrypted, how the hell someone can find it in clear text?

That means someone or something in somewhere store these information in clear text to begin with.

Re:

[davidphogan74]

Many of the passwords shown in the postings I've skimmed past haven't looked like dictionary words. I've actually gone back to an earlier post, and Google'd a few of the higher-security looking ones, and the only result is a single out of order page. [scribd.com]

That makes me fairly certain someone screwed up this one.

Thank Goodness.

[revoldub]

I mean the following statement with little to no sarcasm at all. How many of you will believe that is a different story.

I have Slashdot to thank once again for saving me at the last minute from switching from Verizon to Comcast.

Warn the comcast users!

[gmuslera]

I bet will be around a lot of messages reporting pretty much what the article say, telling the user that his password was disclosed, and asking to change their password at www.comcast.com.etc.hacksite.com/resetpassword.php.

There is always space to make a bad situation far worse

Re:

[furby076]

My name could be on that list and I wouldn't care. Last time comcast came around (to replace my broken cable modem) the guy said I was one of their oldest customers using their very out-of-date system. They had to delete my account and recreate it from scratch. My old account was before they issued usernames/passwords. When they asked me what I wanted my username/password to be I looked at the guy and asked him why do I need it. He said for comcast e-mail. I told him I've survived without comcast e-mai

Re:

[gmuslera]

What if your username/pw could do something for you, like up/downgrading your connection (or cutting it) or ordering things which chargues that goes against your acount? You couldnt worry about that identity theft regarding the rest of the world, but what about Comcast (and maybe Comcast partners) in particular?

Re:

[TheLink]

Well maybe he could go before a jury of his peers, and say "I didn't do that, it must have been someone using my account".

And most of the jurors would believe him, since they'd have been phished/keylogged/pwned/comcasted[1] before or knew someone who had.

[1] Comcasting is the broadcasting of your usernames and passwords.

Re:

[Ironica]

Too bad I already hunted down the list and verified that my account isn't on it. Well, not that they'd get me anyway, especially since that little trick to show me the wrong url in my navigation bar doesn't work with my browser.

If they do it the way shown above, it does "work," for very low values of work. Your navigation bar would say www.comcast.net.etc.hacksite.com/resetpassword.php, because that would be the REAL URL.

I'll Give Even Comcast the Benefit of Doubt

[carlzum]

I have to believe Comcast is telling the truth and some kind of malware is to blame. Over my many years in corporate IT departments, I've seen customer information handled poorly in many way. But an application storing passwords in clear text? I can honestly say I've never seen that happen. Maybe in some homegrown internal application, but not a customer-facing web site in the post-SOX era. A company as big as Comcast is certainly using third-party authentication software. They would have to go out of their way to capture passwords.

If this document is traced back to Comcast they're guilty of more than simple incompetence, they engaged in deliberate unethical behavior.

Re:

[AshPattern]

http://advogato.org/ [advogato.org] stores their passwords in plaintext, or at least in non-hash form. I think it's more common than you believe.

Re:

[Lord Ender]

I work at a software company. In security.

The software engineering team is absolutely certain they don't want corporate IT security anywhere near their precious development process. We would just slow things down. So they all put "security expert" on their resumes and said they don't need us, they know what they're doing, etc..

Yeah, every app they use has totally botch authentication--plaintext password storage, unsalted hashes--you name the security mistake, these "expert" developers ship it in our top-dol

Re:

[carlzum]

I have some advice for your software team from a fellow developer, when you're the sole contributer to the software's security design you assume the risk as well. Let the security experts define the functional requirements and focus on the implementation.

Security involves more than encrypting passwords and defining some roles. Thorough auditing, timely alerts, and granular data control are mandated by regulations like SOX and HIPAA. A cavalier, do-it-yourself attitude puts you and your company at risk.

Re:

[Bourbonium]

Of course they're going to blame malware or a third party. They just did a complete re-design of their web-based email system about three weeks ago. System was down for maintenance for a few hours late one night while they moved everything to the new servers. All Comcast customers were notified about the change about a week in advance. I think they sent two or three messages, boasting about all the great changes that were in store for us on the horizon after the new mail system was in place. Chances ar

Re:

[Ironica]

I have to believe Comcast is telling the truth and some kind of malware is to blame.

Malware where? On their installation CD? Because this is a list only of Comcast accounts... so the malware would either have to be targeting Comcast users on their own computers (so, the installation CD provided by the ISP) or it's getting the info from Comcast's computers... which would mean that they're storing passwords in plaintext.

Re:

[carlzum]

A keylogger or spyware that reads the browser's auto-complete history could do it. There's even a shareware application [download3000.com] that targets Comcast customers which claims to unmask saved passwords in your browser. The fact that this seems limited to Comcast logins is very suspicious. If they are responsible, they deserve to be punished to the greatest extent possible.

Re:While the list is no longer available online

[poopdeville]

It is.

http://66.218.69.11/search/cache?ei=UTF-8&p=%22ComCast+Mail%22++Kevin+Andreyo&fr=yfp-t-501&u=www.scribd.com/doc/9723141/ComCast-Mail&w=%22comcast+mail%22+kevin+andreyo&d=ZjZ_Sp2uSYep&icp=1&.intl=us [66.218.69.11]

Took about a minute to find.

Re:

[Anonymous Coward]

How bad would it be to write a script to email all these people and maybe disclose the first 3 or 4 letters of their password, and if they see it's the same, then maybe they can take action...

Would that be impolite or considered spam?

Re:

[Anonymous Coward]

I think a lot of people would see it as "impolite" or worse. I would want disclosure, but the technologically illiterate would see it as a violation. Still, they are better off knowing.

I won't be writing that script. :0)

Re:

[Bourbonium]

Obviously, it's still out there (look down below in this thread). I remember I changed my comcast password last summer, when they previously announced a similar problem. Now, just to be safe, I'm changing it about every three months, just as I do my work account. You can't be too careful with this kind of stuff, particularly when the gatekeepers of your private information cannot be trusted to safeguard it as securely as I do on my own network.

Re:

[Anthony_Cargile]

True, in fact, there is already a comment that gives a download mirror, see here. [slashdot.org]"

Nobody waste your time/bandwidth even following that link, as it's to the troll post above which links to nothing but a video and imagery probably nobody wants to see (recall goatse.cx links).

Re:

[jank1887]

well... yoda does look a bit trollish

Re:

[Hurricane78]

and figured hey I'm on slashdot the smart people here will get what I'm saying.

You must be new here...

It's not about smartness. It's about those people here that have nothing better to do than to hang around here all day long, have tons of prejudice and projection, stemming from the self-hatred of not being out there and getting girls, or something like that. It's a very primitive thing. They are very smart on an intellectual level, but emotional and social pre-school children.

It's what comes as a price with concentrating so much on technology. But hey, would you want to get tons of g

Re:

[furby076]

Yea...welll... YOU SUCK! I'm going to play with my hawt 3.0 hax'd iphone.

Re:

[supernova_hq]

I like your mention of security. I installed my grandmother's telus modem (she has had telus for a long time and can't change due to her email being used for a business). The modem is actually a 2-wire wireless modem, with a DEFAULT wireless password (password=telus)... Compare this to shaw, who actually stopped by one day (they had had problems in the area and were personally asking people if they had had problems). I talked for a minute with him and happened to mention that I had a network, he promptly as