Comcast passwords leaked onto the Web

Updated March 17 9:45 a.m. PST with Comcast saying there were 700 customer names on the list.

A list of 700 usernames and passwords for Comcast customers was removed from document-sharing Web site Scribd on Monday, two months after it was posted there.

Scribd removed the list of what initially looked like thousands of passwords and usernames after being contacted by Brad Stone at The New York Times. Stone wrote that he was contacted by a Comcast customer who happened across the list after doing a search on his own e-mail address on search engine Pipl.

Comcast spokeswoman Jennifer Khoury told The New York Times that the list was probably compiled from phishing or some other related type of attack and not from inside Comcast.

Comcast is freezing the e-mail accounts of customers whose data was exposed and is contacting them, she said.

"We have scrubbed the list that was on ScribD and have found that about 700 names are user ID's that are for Comcast customers, not 8,000," a Comcast spokesman said in an e-mail later. "The other names on the list are either not customers, duplicates or older inactive accounts (no e-mail address currently)."

[Aquia33]

This sure makes me feel good about COMCAST security and protection systems

? Comcast spokeswoman Jennifer Khoury told The New York Times that the list was probably compiled from phishing or some other related type of attack and not from inside Comcast.

[nicmart]

This is the second Cnet piece I've read tonight with a sentence so badly and obviously botched:

"Thousands of user names and passwords for Comcast customers WAS removed from document sharing Web site Scribd on Monday, two months after it was posted there."

The dogs was fighting. Singular? Plural? Remedial writing? This reporter worked for Reuters? Yikes!

[nicmart]

The offending sentence as been removed, but no notation of an edit has been added. Cheesy.

[Imalittleteapot]

nicmart: Wow. The social gatherings at your place must just be off the hook.

[bigred45]

I think you are the one who should take a remedial writing course. The subject of this sentence is "A list" which is singular, therefore, WAS is the proper word to use. You, young man or lady, should be sure you are right before you insult people.

[mjconver]

So, Mr. Nicmart, we see you have two jobs - grammarian, and anonymous coward. Tell us your blog address so that we can fairly judge your true sartorial skills.

[philipzhang2007]

Very funny.

[CharlieatComcast]

Based on an initial analysis of the list, only about 700 of these accounts appear to be real. The list was likely generated as the result of a phishing scam or some kind of malware that affected customer computers.

We have no reason to believe that any Comcast systems have been compromised.

What did we do today and what are we doing?:

The site has removed the document.

We froze access to any real customer?s account on that list and are in the process of proactively contacting customers to let them know about this situation and the steps they can take to help protect themselves.

The best thing anyone can do is make sure they have an up to date security software system running.

Comcast takes customer privacy very seriously and it is precisely because of times like this that we have been providing free security software and tools to help customers protect themselves from phishing scams and malware.

[Michichael]

I think people would take your claims a bit more seriously if Comcast provided the methodology that they used to come to this determination. Nobody will take a claim as ambiguous as "Based on an initial analysis of the list..."

What methods did Comcast use to justify this PR statement? Have they even considered the possibility that it's an internal leak, and if they've concluded that it was not, how did they come to this conclusion?

Transparency is the best policy in stuff like this - people are really wary of unsubstantiated statements now adays, especially after the Bush era.

[redwall_hp]

Why aren't the passwords encrypted. You NEVER store users' passwords in plaintext! What is wrong with you, Comcast?

[c|net Reader]

Did you even read the story? The data ostensibly came from phishing attacks -- from the users -- not from Comcast.

[jtlevin]

Why the heck are passwords even being stored in clear text anymore? Haven't they heard of hashing? Yet another reason why I left Comcast.

[jasonatcomcast]

@redwall_hp and jtlevin:
Here's a quote from another forum:

Comcast spokeswoman Jennifer Khoury told the Times that it appeared the list did not originate from the company, as it contained duplicated data and lacked information like account numbers. ?We have no reason to believe this came from Comcast. It looks like a phishing or related type of scheme,? she said.

[c|net Reader]

You, too. Try reading comprehension.

[OneWithTech]

e-mail address (iPaper@Scribd.com) you add as a CC recipient on your e-mails. If there are any documents attached, they'll be uploaded to Scribd and hosted for you. Less than a minute later the service sends a second e-mail with a link to that document or documents on Scribd, all of which have been set to private--regardless of whether you or the people who are getting the e-mail have Scridb accounts.

[OneWithTech]

You mean a virus exploiting a comcast IT guys email account wouldn't do this? Maybe the virus would look for all / or certain docs on the machine and then uses the email system to upload the docs to Scribd. Thanks Scribd for Mitsubishi Galant Support Papers?

[pithenumber]

its comcraptic!

[john65001]

Comcast rots. I wonder if they had to put in multiple trouble tickets, talk to five or six different people, and then wait a couple weeks for no response before they were able to freeze those accounts..

[justdenny]

I wonder how somebody would phish an "inactive account (no e-mail address currently)"

[shadowkeeper_24]

I never realized how many people are so short sited as to blame a company for their own short commings.

1. if this was a security risk with comcast, there would be no duplicate entries.
2. If this was a security risk with comcast, there would be no inactive accounts. not in the number that is there. These email accounts where gotten over a period of time. Not all at once.
3. In response to some others who have no clue about technology. Any large company like comcast or any other company, is required by law to have all information encrypted. the only peole who have things in plain text are regular people.
4. To the person who asks if comcast has even checked to see if it is a leak. Well once the passwords get entered int the system. they are encrypted. there is no access to pull passwords back out. That is how it works with all major companies that have to follow FCC regulations.
5. People who left comcast because of this. Well hope you live in the dark ages, because. every large company out there follows the same FCC guidlines as comcast because it is required by everyone. So if you have problem with one company in this sence, you might as well have problems with all companies out there that work in the communication industry as well as any transactional facility.

So lets entertain the idea of it was something inside comcast that got this information. it would have to be a high lvl employee, who has the access to password storage system, who also knows the encryption algorithm, and since the encryption algorithm is one way not two way, he wil have to be a high lvl programmer to hack the ecryption algorithm-at this point, military would have hired him and he wouldn't be working here. - ok going on, he would copy all the active accounts he can see, be way over 8,000, wouldn't have any inactive accounts unless he is an idiot, but wait, he hacked the system he isn't that dumb. Then for some reason add many invalid and duplicate email accounts for the fun of it. Why would he do that.

Lets entertain a phishing scam going on for a year+. only gets people that go to it, hence 8000. A person who gets scammed once usually get scammed twice, hence duplicate email accounts. People use fake emails at times not trusting a site, hence invalid email accounts. inactive email accounts, probably some of the first people to get scammed.

Which of these two are more likely to be the correct answer. The simpler of the two and the easier of the two.

From the looks of it therer will be a few short sited people on here who will be scammed in the future and then blame other people for there short sitedness

P.S. I don't agree with some things about Comcast or other Big Companies, But I am an IT specialist and hate to see people get scammed and then blame the incorrect party instead of taking the necessary measures to not get scammed.