Comcast User Names and Passwords Exposed
Andreyo was inspired by the March 10, People Search Engines: They Know Your Dark Secrets... And Tell Anyone, PC World article, to do a little sleuthing to see how much of his personal life was exposed online. When he searched for his e-mail address in Pipil, four results popped up, including one on the self-publishing site, Sribd. It was this document on Scribd that had all the Comcast accounts and passwords, including his own. The New York Times reported yesterday: "Statistics on Scribd indicated that the list, which was uploaded by someone with the user name vuthanhan2004, had been viewed over 345 times and had been downloaded 27 times."
It is not clear if Andreyo directly contacted Scribd; but he did report his findings to Comcast, the F.B.I., and a number of journalists. Once New York Times reporter, Brad Stone, contacted Scribd, the document was pulled yesterday afternoon.
"That isn't just my password for Comcast, it's my password for everything that is not tied to my credit card... It's one thing to publish a credit card number, but to hand over user IDs and passwords for accounts is another. Someone could just go in and pull up all your archived messages, and then they have everything about you." -- Kevin Andreyo from his interview with the New York Times
Although Andreyo claims that it is unlikely he was the victim of a phishing attack, Comcast spokesperson, Jennifer Khoury, told the New York Times: "We have no reason to believe this came from Comcast. It looks like a phishing or related type of scheme." Comcast's belief that the list was not from data purloined directly from Comcast was at least in part because the list contained a lot of "duplicated data" and "the lack of structured information like account numbers." In fact, so much of the data was duplicated that Comcast estimated that the total number of exposed customers was actually around 4,000.
Later in the day, DSLReports.com also covered this story; however, the statement that DSLReports.com received from Comcast indicates that Comcast had more time to investigate the matter, and subsequently found that the damage was not quite as bad as it first seemed:
"Earlier today, we were alerted a Web site was hosting a document that reportedly contained Comcast.net customer user IDs and passwords. Based on an initial analysis of the document, we have identified that only about 700 of these accounts are real. The list was likely generated as the result of a phishing scam or some kind of malware that affected customer computers. We have no reason to believe that any Comcast systems have been compromised. The site has removed the document and we are in the process of freezing access to any customer's account on that list. We are also in the process of proactively contacting customers to let them know about this situation and the steps they can take to help protect themselves. Comcast takes customer privacy very seriously and it is precisely because of times like this that we have been providing free security software and tools for years to help customers protect themselves from phishing scams and malware." -- Comcast statement to DSLReports.com
The free security software being referred to is the McAfee Security Suite, which is available for free to all residential Comcast broadband customers. Residential Comcast broadband accounts can have up to a total of seven users (one primary account and six secondary accounts), and all seven users are eligible to download and use the software for free.
As to how this list of 700 real Comcast customers' user names and passwords (along with, presumably, many fake accounts) made it onto Scribd, or where the data originally came from is still a mystery--and it is uncertain if we will ever learn the full, true story. We can all learn from this incident, however, to make sure that we implement safe practices when we go online. These practices include using security software with current definition files, being very wary who you share your personal information with, and using a unique, non-dictionary password for each site you have an account on--security software company, Sophos, reports that 33-percent of people use the same password for multiple websites.
Of course, these preventative measures only help us if we're the source of the leak; if the data is leaked from our service providers or by the sites we do business with, then much of our proactive behavior can be rendered useless. Somehow, the draconian alternative of never going online in the first place doesn't seem to be a viable option. In the meantime, perhaps you should try out a few of the "deep web" search engines, such as pipl and Spokeo, to see what information about you is online for the world to see... Hopefully, you won't be surprised by what you find.