Passwords of 8,000 (700) Comcast Customers Exposed

Update:  3/17/09 – Comcast posted a comment to this article informing on the state of the “public” account information.  Great news for Comcast customers, but it does stir questions regarding the other usernames and passwords – where are they valid?  Regardless – Comcast gets kudos for attacking this problem both internally with security precautions and PR wise with knowledgeable individuals.  Thank you for the update and looking forward to greater response from other parties.

Recently some individual uploaded approximately 8,000 usernames and passwords of Comcast users to Scribd.  While the document has been taken down the data is still very much in the wild, and any individual (or business) must absolutely change ALL of their account passwords ASAP.  Unfortunately most individuals share passwords between websites, so it is key to remember good password policy.

  1. Always use difficult passwords
  2. Always rotate passwords
  3. Always retire passwords
  4. Always have tiered password structures – meaning have some passwords that are more difficult and regularly rotated on those accounts that are more important (bank accounts are obvious, but Comcast accounts would be on the top if you have set that email up as the default email account for your other web service accounts)

Finally, continue to do as Kevin Andreyo did – google yourself and keep a handle on your privacy.

Once the data has been breached it is no longer useful for privacy, authentication, or authorization.  It is good to see Comcast moving to clear out these insecurities, but this (sadly) is only the beginning of this drama.

A good question – how does compliance and security controls falls into this situation – where is the incident response plan (Here is a good start from the Source Boston conference), and how is mangement made aware of such occurrences?  Meaning did the CEO of Comcast find out via the New York Times reporter, or from internal resources (communication is key).

Consider these impacts to your consumers.


James DeLuccia IV

Join me and the world at RSA 2009, where I will be speaking on Credit Card Security

*BTW – The data referenced in the New York Times Article and Digg, is still available online – after a bit of Googling I was easily able to find it, and confirm its authenticity.


One response to “Passwords of 8,000 (700) Comcast Customers Exposed

  1. Hi James,

    This is Scott from Comcast. First, I think your password tips are right on (I use 1Password on my Mac to create, and manage, tough unique passwords for all my accounts).

    I would like to share some updated info straight from the horse’s mouth (that being Comcast). We took a look at the file, parsed it, and compared it to our records. We found that most of the 8000 entries were either duplicates or not Comcast accounts. That left us with about 700 actual current Comcast accounts listed. We are in the process of contacting those people, after we froze their accounts so no one could access it, and inform them of the issue. We’ll also be pointing people towards the security section of our Web site for pointers about keeping their accounts secure (since it appears that this list was the result of a phishing attack. We have no reason to believe any Comcast systems have been compromised).

    Finally, as I sure you might expect, we’re working with the proper authorities on this matter.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s