• On MovieTome: See the villain of IRON MAN 2!
March 16, 2009 5:02 PM PDT

Comcast passwords leaked onto the Web

by Elinor Mills
  • Font size
  • Print
  • 20 comments
Updated March 17 9:45 a.m. PST with Comcast saying there were 700 customer names on the list.

A list of 700 usernames and passwords for Comcast customers was removed from document-sharing Web site Scribd on Monday, two months after it was posted there.

Scribd removed the list of what initially looked like thousands of passwords and usernames after being contacted by Brad Stone at The New York Times. Stone wrote that he was contacted by a Comcast customer who happened across the list after doing a search on his own e-mail address on search engine Pipl.

Comcast spokeswoman Jennifer Khoury told The New York Times that the list was probably compiled from phishing or some other related type of attack and not from inside Comcast.

Comcast is freezing the e-mail accounts of customers whose data was exposed and is contacting them, she said.

"We have scrubbed the list that was on ScribD and have found that about 700 names are user ID's that are for Comcast customers, not 8,000," a Comcast spokesman said in an e-mail later. "The other names on the list are either not customers, duplicates or older inactive accounts (no e-mail address currently)."

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
advertisement
Click here!
Recent posts from Security
RSA reveals details behind re-shipping scam
Expert says Adobe Flash policy is risky
Apple updates Safari for security
Microsoft probing Windows 7 zero-day hole
Eastern Europeans charged in payment processor hack
A child porn-planting virus: Threat or bad defense?
Microsoft patches critical hole in Windows kernel
Panda's Cloud Antivirus leaves beta behind
Add a Comment (Log in or register) (20 Comments)
  • prev
  • 1
  • next
by Aquia33 March 16, 2009 5:25 PM PDT
This sure makes me feel good about COMCAST security and protection systems

? Comcast spokeswoman Jennifer Khoury told The New York Times that the list was probably compiled from phishing or some other related type of attack and not from inside Comcast.
Reply to this comment
by nicmart March 16, 2009 5:36 PM PDT
This is the second Cnet piece I've read tonight with a sentence so badly and obviously botched:

"Thousands of user names and passwords for Comcast customers WAS removed from document sharing Web site Scribd on Monday, two months after it was posted there."

The dogs was fighting. Singular? Plural? Remedial writing? This reporter worked for Reuters? Yikes!
Reply to this comment
by nicmart March 16, 2009 5:56 PM PDT
The offending sentence as been removed, but no notation of an edit has been added. Cheesy.
by Imalittleteapot March 16, 2009 6:05 PM PDT
nicmart: Wow. The social gatherings at your place must just be off the hook.
by bigred45 March 16, 2009 6:11 PM PDT
I think you are the one who should take a remedial writing course. The subject of this sentence is "A list" which is singular, therefore, WAS is the proper word to use. You, young man or lady, should be sure you are right before you insult people.
by mjconver March 16, 2009 6:26 PM PDT
So, Mr. Nicmart, we see you have two jobs - grammarian, and anonymous coward. Tell us your blog address so that we can fairly judge your true sartorial skills.
by philipzhang2007 March 18, 2009 12:06 AM PDT
Very funny.
by CharlieatComcast March 16, 2009 6:10 PM PDT
Based on an initial analysis of the list, only about 700 of these accounts appear to be real. The list was likely generated as the result of a phishing scam or some kind of malware that affected customer computers.

We have no reason to believe that any Comcast systems have been compromised.

What did we do today and what are we doing?:

The site has removed the document.

We froze access to any real customer?s account on that list and are in the process of proactively contacting customers to let them know about this situation and the steps they can take to help protect themselves.

The best thing anyone can do is make sure they have an up to date security software system running.

Comcast takes customer privacy very seriously and it is precisely because of times like this that we have been providing free security software and tools to help customers protect themselves from phishing scams and malware.
Reply to this comment
by Michichael March 17, 2009 11:29 AM PDT
I think people would take your claims a bit more seriously if Comcast provided the methodology that they used to come to this determination. Nobody will take a claim as ambiguous as "Based on an initial analysis of the list..."

What methods did Comcast use to justify this PR statement? Have they even considered the possibility that it's an internal leak, and if they've concluded that it was not, how did they come to this conclusion?

Transparency is the best policy in stuff like this - people are really wary of unsubstantiated statements now adays, especially after the Bush era.
by redwall_hp March 16, 2009 6:19 PM PDT
Why aren't the passwords encrypted. You NEVER store users' passwords in plaintext! What is wrong with you, Comcast?
Reply to this comment
by c|net Reader March 17, 2009 5:45 AM PDT
Did you even read the story? The data ostensibly came from phishing attacks -- from the users -- not from Comcast.
by jtlevin March 16, 2009 8:35 PM PDT
Why the heck are passwords even being stored in clear text anymore? Haven't they heard of hashing? Yet another reason why I left Comcast.
Reply to this comment
by jasonatcomcast March 17, 2009 5:46 AM PDT
@redwall_hp and jtlevin:
Here's a quote from another forum:

Comcast spokeswoman Jennifer Khoury told the Times that it appeared the list did not originate from the company, as it contained duplicated data and lacked information like account numbers. ?We have no reason to believe this came from Comcast. It looks like a phishing or related type of scheme,? she said.
by c|net Reader March 17, 2009 5:46 AM PDT
You, too. Try reading comprehension.
Reply to this comment
by OneWithTech March 17, 2009 5:51 AM PDT
e-mail address (iPaper@Scribd.com) you add as a CC recipient on your e-mails. If there are any documents attached, they'll be uploaded to Scribd and hosted for you. Less than a minute later the service sends a second e-mail with a link to that document or documents on Scribd, all of which have been set to private--regardless of whether you or the people who are getting the e-mail have Scridb accounts.
Reply to this comment
by OneWithTech March 17, 2009 5:54 AM PDT
You mean a virus exploiting a comcast IT guys email account wouldn't do this? Maybe the virus would look for all / or certain docs on the machine and then uses the email system to upload the docs to Scribd. Thanks Scribd for Mitsubishi Galant Support Papers?
Reply to this comment
by pithenumber March 17, 2009 2:25 PM PDT
its comcraptic!
Reply to this comment
by john65001 March 17, 2009 3:26 PM PDT
Comcast rots. I wonder if they had to put in multiple trouble tickets, talk to five or six different people, and then wait a couple weeks for no response before they were able to freeze those accounts..
Reply to this comment
by justdenny March 17, 2009 10:02 PM PDT
I wonder how somebody would phish an "inactive account (no e-mail address currently)"
Reply to this comment
by shadowkeeper_24 April 3, 2009 12:25 PM PDT
I never realized how many people are so short sited as to blame a company for their own short commings.

1. if this was a security risk with comcast, there would be no duplicate entries.
2. If this was a security risk with comcast, there would be no inactive accounts. not in the number that is there. These email accounts where gotten over a period of time. Not all at once.
3. In response to some others who have no clue about technology. Any large company like comcast or any other company, is required by law to have all information encrypted. the only peole who have things in plain text are regular people.
4. To the person who asks if comcast has even checked to see if it is a leak. Well once the passwords get entered int the system. they are encrypted. there is no access to pull passwords back out. That is how it works with all major companies that have to follow FCC regulations.
5. People who left comcast because of this. Well hope you live in the dark ages, because. every large company out there follows the same FCC guidlines as comcast because it is required by everyone. So if you have problem with one company in this sence, you might as well have problems with all companies out there that work in the communication industry as well as any transactional facility.

So lets entertain the idea of it was something inside comcast that got this information. it would have to be a high lvl employee, who has the access to password storage system, who also knows the encryption algorithm, and since the encryption algorithm is one way not two way, he wil have to be a high lvl programmer to hack the ecryption algorithm-at this point, military would have hired him and he wouldn't be working here. - ok going on, he would copy all the active accounts he can see, be way over 8,000, wouldn't have any inactive accounts unless he is an idiot, but wait, he hacked the system he isn't that dumb. Then for some reason add many invalid and duplicate email accounts for the fun of it. Why would he do that.

Lets entertain a phishing scam going on for a year+. only gets people that go to it, hence 8000. A person who gets scammed once usually get scammed twice, hence duplicate email accounts. People use fake emails at times not trusting a site, hence invalid email accounts. inactive email accounts, probably some of the first people to get scammed.

Which of these two are more likely to be the correct answer. The simpler of the two and the easier of the two.

From the looks of it therer will be a few short sited people on here who will be scammed in the future and then blame other people for there short sitedness

P.S. I don't agree with some things about Comcast or other Big Companies, But I am an IT specialist and hate to see people get scammed and then blame the incorrect party instead of taking the necessary measures to not get scammed.
Reply to this comment
(20 Comments)
  • prev
  • 1
  • next
advertisement

13 games for newer iPhones

So you've got an old iPhone or iPod and want to see what some of the latest games are doing with the newer hardware? We've checked out 11 titles to show you the differences.
• Images: Old vs. new

Intel to pay AMD $1.25B in settlement

Antitrust and intellectual property fights come to an end for now. AMD will drop pending litigation, and Intel will "abide by" a long list of prohibitions.
• AMD: Our claims are 'ratified'

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right