Comcast Resets Nearly 200,000 Passwords After Customer List Goes On Sale (csoonline.com) 43
itwbennett writes: Over the weekend a Dark Web marketplace had 590,000 Comcast email addresses and passwords for sale, offering the entire list for $1,000, writes CSO's Steve Ragan. Saturday evening Ragan contacted Comcast about the accounts being sold online and learned that Comcast had 'already obtained a copy of the list' and was checking it against their customer base. 'Of the 590,000 records being sold, only about 200,000 of them were active,' Comcast said. Still unknown is the source of the data being sold online, although signs point to it being recycled.
Good time for a phone scam (Score:4, Insightful)
Good time for a phone scam.
By calling people and saying that you are from Comcast and that we need to reset your password and asking them for the info + there new password.
Re: (Score:1)
What would you call that, two factor scam authentication?
Yes. It's a method of ensuring the victim is actually that stupid, just in case there were any doubts left.
Remember kids...due diligence is always viewed as a good thing no matter the wrapper.
Re:Good time for a phone scam (Score:5, Funny)
Is your network slow?: [Yes]
Does it flake at night and on weekends?: [Yes]
Do technicians pretend like they solve the problem but never do?: [Yes]
Does phone support always want to sell you crap you don't need or want?: [Yes]
Do weird fees appear on your bill out of no-where?: [Yes]
[Enter...]
You have been CONFIRMED to be a Comcast customer. Now please change your password.
Re:Good time for a phone scam (Score:4, Insightful)
Is your network slow?: [Yes]
Does it flake at night and on weekends?: [Yes]
Do technicians pretend like they solve the problem but never do?: [Yes]
Does phone support always want to sell you crap you don't need or want?: [Yes]
Do weird fees appear on your bill out of no-where?: [Yes]
[Enter...]
You have been CONFIRMED to be a Comcast customer. Now please change your password.
You're also likely an AT&T or Verizon subscriber. Once the entity gets to a large enough size, it's often incapable of fighting those "creative ways to boost revenue" by screwing it's captive customers.
Re: (Score:2)
Still unknown is the source of the data being sold online, although signs point to it being recycled.
So, they got the info out of the Recycle Bin?
Re: (Score:2)
or the dumpster. Some once found a weather star in a dumper at a comcast headend.
It isn't just Comcast passwords ... (Score:4, Insightful)
it is also all the other places where people have used the same password and have used the same email address. Comcast must contact all 590,000 people - not just the 'active' ones; people might not be active comcast customers but many will still be real people who must be told that an old supplier has f**ked up and revealed their password.
It is unacceptable for comcast to say: old customer, not important; they should not have reused their password - so not our fault. I agree that password reuse is stupid, but the world is full of stupid people.
Re: (Score:2)
just a couple big players carving up the geography and colluding not to compete.
Actually, it's government sponsored collusion.
In a very large percentage of cities, the local government awards an exclusive franchise to one $BIG_CABLE_COMPANY.
Something in the neighborhood of 20 states have passed laws prohibiting cities from setting up their own broadband networks.
A couple of cities have even turned down Google's offer of gigabit fiber because Google didn't want to pay the standard kickbacks to local politicians (aka Franchise Fees).
Re: (Score:2)
In a very large percentage of cities, the local government awards an exclusive franchise to one $BIG_CABLE_COMPANY.
No, they award a non-exclusive franchise. I've yet to see an exclusive one, and most cities just copy what other cities have done, changing only the relevant local bits.
A couple of cities have even turned down Google's offer of gigabit fiber because Google didn't want to pay the standard kickbacks to local politicians (aka Franchise Fees).
You mean they would have gotten a franchise had they been willing to pay the same fees that the other competitors do? The fee that is based on the use of public rights of way?
Wouldn't that be an unfair advantage and a tax-break to Google? Doesn't that also kinda disprove the claim of an exclusive franchise?
Re: (Score:2)
There's also a Bennett diagram of Comcast customers and Internet users...
Re: (Score:3)
Comcast must contact all 590,000 people
"Can I please place you on hold? Thank you, I am now transferring you to the department that handles this function."
Click. Click.
(Silence)
Click.
"Hello, and welcome to Comcast customer service. We are currently experiencing higher than normal volumes, but be assured that your call will be handled as soon as a customer service agent is available. Please hold."
(Music)
"Have you heard about Comcast Xfinity bundles? Comcast Xfinity bundles offer customers the opportunity to right-size their services!"
Re: (Score:2)
"It is unacceptable for comcast to say: old customer, not important; they should not have reused their password - so not our fault. "
Which is why probably why Comcast did not say that: "However, playing the better safe than sorry card, Comcast will assume the passwords on the matching accounts are valid and force a reset."
With all of the veritably bad actions that Comcast is taking, there's no need to make stuff up.
Good For The Hackers (Score:2, Funny)
Still unknown is the source of the data being sold online, although signs point to it being recycled.
It's good to hear that the hackers care about the environment.
Are they going to bother notifying us?! (Score:2)
"Customers impacted by the password resets will be dealt with on a case-by-case basis. When asked, a Comcast representative confirmed that their security teams were certain that none of their systems or apps had been compromised."
Uh... EXCUSE ME?! If my account was compromised I want to know NOW - I rarely login to my account as I have my own email and get my bill mailed to me.
sigh... going to check now...
Re: (Score:2, Insightful)
"Customers impacted by the password resets will be dealt with on a case-by-case basis. When asked, a Comcast representative confirmed that their security teams were certain that none of their systems or apps had been compromised."
Uh... EXCUSE ME?! If my account was compromised I want to know NOW - I rarely login to my account as I have my own email and get my bill mailed to me.
sigh... going to check now...
Ok.. the obvious question.... WHY is there a list of Comcast passwords? They've not heard of basic hashing?
Re: (Score:2)
Or, how about the fact (yes, fact) that most people [citation needed] use the same password for a variety of services? A unique enough email address can lead to one's online identity being discovered, and now the nefarious turd has your password.
Then again, maybe the person already checked those vectors and is just trying to make a little more money off the list.
Plaintext passwords? (Score:5, Insightful)
Who the hell stores plaintext passwords anymore? You'd think that should be illegal...
Re: (Score:1)
Who the hell stores plaintext passwords anymore? You'd think that should be illegal...
Passwords don't need to be store as plaintext to determine them, there are techniques you can use to recover hashed passwords, as long as they're 14 characters or less.
Re: (Score:3)
He means like rainbow tables and other aggregate attacks. You won't get every password but you will get a lot of them.
Password reuse (Score:3)
There's a larger issue of password reuse. It's likely that many of the 590k people on the list feuse passwords, which means you can just start an auto logging script to get into email, banks, everywhere.
Re: (Score:2)
This is why reset my passwords every 48 HOURS!
Re: (Score:2)
Remember, use nothing but special characters for security.
Re: (Score:2)
As little user PW's as possible is the way to go. There is 0 reason for local logins, oauth, saml, shibboleth, cas, etc etc etc.
Recycled? Doesn't sound like Comcast got hacked (Score:2)
Recycled means it came from other sources, not from going into Comcast.
They flagged the guy as a scammer, too. Honor amongst thieves?
It's all in TFA