Comcast Resets 200,000 Compromised Email Passwords, But Questions Remain

7 Hot Advances In Email Security

Comcast, one of the largest cable and Internet providers in the US, claims it has reset the email passwords of 200,000 of its customers after they were offered for sale on the Dark Web, according to published reports. It's still not clear if there was a hack or not.

However, the seller of the email password dump is still taunting Comcast and hints there may be more personal information to leak and sell on the Dark Web.

To recap how Comcast and its customers got to this point: The offered password and email list that appeared on the Dark Web was actually composed of about 590,000 account name and password pairs when it came to wider attention.

However, Comcast quickly stated that it determined that only 200,000 were active accounts, according to a company spokesperson. These were the ones that were reset. The spokesperson denied that Comcast had bought the list from the seller, but had somehow managed to obtain its own copy for a comparison. The ones that matched active email accounts were the ones that were involved in the reset process.

All of this was first reported by CSO after a tipoff from security researcher @flanvel on Twitter. However, the origin of the list is the first question that pops to mind in order to find out what really happened.

To get answers, it's good to go to the source.

In an email exchange with InformationWeek, Flanvel writes:

The name of the market [where the list was offered for sale] is "Python Market." I spend a portion of my time exploring the dark net looking for breaches both manually and automatically through tools I've written. I came across this specific breach just browsing the market for new posts.

However, Flanvel is not so sure that the data that was being sold is new.

"It is my assumption, though the facts are not decisive, the data was being recycled from previous dumps, or a collection of multiple dumps. Many scammers will try to resell data or pad the numbers to turn a larger profit," Flanvel wrote in an email on Nov. 10.

The Comcast spokesperson denied a breach occurred for the current list. The company is suggesting it is a phishing scheme, which has prompted some to say that Comcast is actually blaming the victim. If you think about it, the mechanics of phishing for over half a million accounts makes that explanation seem self-serving.

Since the list was composed of about 70% deadwood accounts, according to Comcast, it seems that this is not the result of a recent breach. If it had been, the active count of email addresses and passwords would have been higher.

[Read about Microsoft's latest security acquisition.]

Flanvel also tweeted on Nov. 10, that the original poster was offering new Comcast dumps for sale.

Further, the poster responded to Comcast's phishing explanation with derision and scorn. Interestingly, whoever this person is, he or she misplaces the dollar sign in the money request for the dump. This might mean the person is not a native English speaker.

A thread on Reddit had discussed the available list before mainstream media wrote about it. The main takeaway from that discussion was the incredulity of the posters that the passwords were stored in plaintext.

This is not the first time that Comcast has had a problem with storing passwords in plaintext. A breach in 2009 exposed plaintext passwords. Comcast denied it had been breached and blamed a phishing scheme then as well.

This kind of company denial is in line with the last breach of 34 Comcast email servers reported in 2014. At that time, Comcast denied a loss of personal data had occurred.