Update: 3/17/09 – Comcast posted a comment to this article informing on the state of the “public” account information. Great news for Comcast customers, but it does stir questions regarding the other usernames and passwords – where are they valid? Regardless – Comcast gets kudos for attacking this problem both internally with security precautions and PR wise with knowledgeable individuals. Thank you for the update and looking forward to greater response from other parties.
Recently some individual uploaded approximately 8,000 usernames and passwords of Comcast users to Scribd. While the document has been taken down the data is still very much in the wild, and any individual (or business) must absolutely change ALL of their account passwords ASAP. Unfortunately most individuals share passwords between websites, so it is key to remember good password policy.
- Always use difficult passwords
- Always rotate passwords
- Always retire passwords
- Always have tiered password structures – meaning have some passwords that are more difficult and regularly rotated on those accounts that are more important (bank accounts are obvious, but Comcast accounts would be on the top if you have set that email up as the default email account for your other web service accounts)
Finally, continue to do as Kevin Andreyo did – google yourself and keep a handle on your privacy.
Once the data has been breached it is no longer useful for privacy, authentication, or authorization. It is good to see Comcast moving to clear out these insecurities, but this (sadly) is only the beginning of this drama.
A good question – how does compliance and security controls falls into this situation – where is the incident response plan (Here is a good start from the Source Boston conference), and how is mangement made aware of such occurrences? Meaning did the CEO of Comcast find out via the New York Times reporter, or from internal resources (communication is key).
Consider these impacts to your consumers.
James DeLuccia IV
*BTW – The data referenced in the New York Times Article and Digg, is still available online – after a bit of Googling I was easily able to find it, and confirm its authenticity.