Update | 3:10 p.m. Comment from Comcast added at the end of the post.
A list of more than 8,000 user names and passwords for customers of Comcast, one of the nation’s largest Internet service providers, sat unprotected on the Web for the last two months.
Kevin Andreyo, an educational technology specialist in Reading, Pa., and a professor at Wilkes University, came across the list Monday on Scribd, a document-sharing Web site.
Mr. Andreyo was reading a recent article in PC World entitled “People Search Engines: They Know Your Dark Secrets… And Tell Anyone,” when he was inspired to find out what information about him was online. He searched for his own e-mail address on the search engine Pipl.
The list on Scribd was one of four results, and it also included his password, which was a riff on his love for a local sports team. Statistics on Scribd indicated that the list, which was uploaded by someone with the user name vuthanhan2004, had been viewed over 345 times and had been downloaded 27 times.
Mr. Andreyo informed Comcast, the F.B.I. and several technology journalists about the breach on Monday morning, but the document disappeared only at 1:45 p.m. when I contacted Scribd about it.
“That isn’t just my password for Comcast, it’s my password for everything that is not tied to my credit card,” Mr. Andreyo said in an interview. “It’s one thing to publish a credit card number, but to hand over user IDs and passwords for accounts is another. Someone could just go in and pull up all your archived messages, and then they have everything about you.”
I have asked Comcast how the information got online. It is possible that the people on the list divulged their passwords in response to some kind of phishing message, and that Comcast itself is not to blame.
Update: Comcast said it did not believe the information came from inside the company, pointing to duplicated data on the list and the lack of structured information like account numbers.
“We have no reason to believe this came from Comcast. It looks like a phishing or related type of scheme,” said Jennifer Khoury, a Comcast spokeswoman. (Asked about this possibility earlier today, Mr. Andreyo said that he doubted he was ever the victim of a phishing scheme.)
Ms. Khoury said that Comcast was freezing the e-mail accounts of the customers on the list and contacting them to educate them about using safe passwords. She said the company would also urge them to download McAfee Security Suite, software that is made available free to all Comcast users.Comcast also says the list of exposed customer IDs is closer to 4,000, given duplicates on the list.
Found this Post interesting? Receive new posts via RSS (What is RSS?) or Subscribe to CR by Email