Comcast Resets 200,000 Compromised Email Passwords, But Questions Remain

Comcast has reset the passwords for about 200,000 email accounts that appeared for sale on the Dark Web. However, there are a lot of questions about what the company knows and if there's more information out there to take.

Larry Loeb, Blogger, Informationweek

November 10, 2015

3 Min Read
<p align="left">(Image: SweetBabeeJay/iStockphoto)</p>

7 Hot Advances In Email Security

7 Hot Advances In Email Security

7 Hot Advances In Email Security (Click image for larger view and slideshow.)

Comcast, one of the largest cable and Internet providers in the US, claims it has reset the email passwords of 200,000 of its customers after they were offered for sale on the Dark Web, according to published reports. It's still not clear if there was a hack or not.

However, the seller of the email password dump is still taunting Comcast and hints there may be more personal information to leak and sell on the Dark Web.

To recap how Comcast and its customers got to this point: The offered password and email list that appeared on the Dark Web was actually composed of about 590,000 account name and password pairs when it came to wider attention.

However, Comcast quickly stated that it determined that only 200,000 were active accounts, according to a company spokesperson. These were the ones that were reset. The spokesperson denied that Comcast had bought the list from the seller, but had somehow managed to obtain its own copy for a comparison. The ones that matched active email accounts were the ones that were involved in the reset process.

All of this was first reported by CSO after a tipoff from security researcher @flanvel on Twitter. However, the origin of the list is the first question that pops to mind in order to find out what really happened.

To get answers, it's good to go to the source.

In an email exchange with InformationWeek, Flanvel writes:

The name of the market [where the list was offered for sale] is "Python Market." I spend a portion of my time exploring the dark net looking for breaches both manually and automatically through tools I've written. I came across this specific breach just browsing the market for new posts.

However, Flanvel is not so sure that the data that was being sold is new.

"It is my assumption, though the facts are not decisive, the data was being recycled from previous dumps, or a collection of multiple dumps. Many scammers will try to resell data or pad the numbers to turn a larger profit," Flanvel wrote in an email on Nov. 10.

The Comcast spokesperson denied a breach occurred for the current list. The company is suggesting it is a phishing scheme, which has prompted some to say that Comcast is actually blaming the victim. If you think about it, the mechanics of phishing for over half a million accounts makes that explanation seem self-serving.

Since the list was composed of about 70% deadwood accounts, according to Comcast, it seems that this is not the result of a recent breach. If it had been, the active count of email addresses and passwords would have been higher.

[Read about Microsoft's latest security acquisition.]

Flanvel also tweeted on Nov. 10, that the original poster was offering new Comcast dumps for sale.

Further, the poster responded to Comcast's phishing explanation with derision and scorn. Interestingly, whoever this person is, he or she misplaces the dollar sign in the money request for the dump. This might mean the person is not a native English speaker.

A thread on Reddit had discussed the available list before mainstream media wrote about it. The main takeaway from that discussion was the incredulity of the posters that the passwords were stored in plaintext.

This is not the first time that Comcast has had a problem with storing passwords in plaintext. A breach in 2009 exposed plaintext passwords. Comcast denied it had been breached and blamed a phishing scheme then as well.

This kind of company denial is in line with the last breach of 34 Comcast email servers reported in 2014. At that time, Comcast denied a loss of personal data had occurred.

About the Author(s)

Larry Loeb

Blogger, Informationweek

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights