8,000 Comcast Passwords Exposed, Phishing Scam Suspected

The New York Times has reported that a list of over 8,000 Comcast user name and passwords were available to the public via Scribd for two months, before a Wilkes University professor discovered it over the weekend after doing a search for his identity online. Comcast is saying it looks like the result of a phishing scam and isn’t an inside job, and that there are so many duplicate entries on the list that it’s closer to 4,000 customers.

The man who discovered it, Kevin Andreyo, deserves a slap on the back for using the power of the web to track down personal information about himself—he used pipl to perform a search on his name and address—and he deserves a slap somewhere else for using the same password on every account.

“That isn’t just my password for Comcast, it’s my password for everything that is not tied to my credit card,” Mr. Andreyo said in an interview.

People! Do not do that! Unless you suffer from brain damage or some form of learning disability, your brain can remember more than one password. Do not make it easy for scammers by using a master key that can open any door into your personal life.

If you’re worried that you were on the list, the easiest way to tell is to see if your Comcast email account has been frozen—Comcast is taking this measure as well as “contacting them to educate them about using safe passwords.”

“Passwords of 8,000 Comcast Customers Exposed” [New York Times]
(Photo: scriptingnews)

Comments

Edit Your Comment

  1. pentium4borg says:

    Is there a way to find out if your account is on the list if you don’t have a Comcast email account?

  2. justbychance says:

    Don’t want to be disemvoweled.. but the title is misspelled.

    Relating to the article, Comcast is huge and while this behavior can’t be condoned scammers go after the biggest providers since they stand to gain the most. People just need to be more careful with passwords and just like your 401(k)…diversify.. diversify…diversify.

  3. paulrules says:

    Oh wow. 4,000 stupid Comcast customers? Like I didn’t see that coming…

  4. comcastcares says:

    We have been reviewing this all day and here is some additional info. It is about 700 active accounts. The others are duplicates, non-existent or inactive. They appear to be compromised through phishing attacks. We would recommend everyone be careful of phishing emails. We do offer the McAfee suite and the Comcast toolbar for free to our Customers at [security.comcast.net.] These tools help to prevent such attacks. It is important for everyone to be careful with passwords for all your accounts.

    Thank you!
    Frank

    • Cocoa Vanilla says:

      @comcastcares: Frank, I am glad you took the time to respond to this, especially considering it’s not Comcast’s fault. I hate Comcast just as much as everyone else, but honestly everyone, it’s not Comcast’s fault some idiots responded to a phishing email..

    • bxbrett says:

      @comcastcares:

      Thanks for the update Frank.

    • From the cubicle of PGibbons says:

      @comcastcares: 8,000-> 700 is a huge drop. And if they’re by phishing attacks, then there isn’t a heck of a lot Comcast can do – it’s not their computers, it’s not their passwords… Out of Comcast’s huge user base, 700 is nothing.

      It’s really the users that are exposing their passwords, and you can’t make anything idiotproof because they just keep making better idiots! Comcast seems to be off the hook here.

      That said, Comcast is still evil.

  5. usa_gatekeeper says:

    Wow! Every time I click on the title line above, my Norton Internet Security goes wild with phishing warnings.

  6. missjulied says:

    Sure, my brain can remember more than one password – but it can’t remember the maybe 40 I have between work, financial accounts, email/IM apps, store accounts, application accounts, etc. I’ve got mine in a password-protected file so I really only have to remember one, but I can see how many people just give up and use the same password across myriad accounts.

    • tsume says:

      @missjulied:

      I tried the whole different password thing before. Problem is, I’ve got to have over 100 different accounts on various forums across the web (partially to blame are forum operators who block links/attachments/pictures/threads to guests). More often than not, I find myself locked out of vBulletin based sites and other sites that block your IP for XX minutes after XX amount of incorrect tries. I’ve got 6 usernames I commonly use (depending on the website’s requirements- which I will -not- remember) and over 20 passwords. That’s 180 combinations. Most sites will lock me out before I get to try 180 times.

      I’ve switched to a 3 username 3 password system going forward. Throwaway sites get username 1 or 2 and password 1. Sites such as digg, consumerist, and all computers that are not my main computer get username 3 and password 2. Banking and email sites get username 3 and password 3. This means the majority of sites I visit have an easy password, and the more important sites have a difficult password.

  7. wagnerism says:

    I always use

    1
    2
    3
    4
    5

    /that was on tv the other day

  8. lessemm says:

    There are many convenient ways to generate and manage random passwords.

    Personally, I use a different e-mail address and randomly generated password (using apg) for each account. Those go in a text file that is encrypted with bcrypt:

    [bcrypt.sourceforge.net]

    I use a master key to encrypt the files and store the text files on a private server.

    For added security, use randomly generated strings as answers to your security questions and store those in the text file as well.

    There are a lot of password generators and password managers out there. A good place to start is to type “password generator”, “password manager”, or “random password generator” into your favorite search engine.

    Be wary of on-line tools, and, if possible, opt for open source tools that install on your local computer.

    I do all of this on a *nix machine. I’m interested if someone has specific suggestions about nice and free solutions for Windows and Mac.

  9. B says:

    I just use ********* Easy to remember, and you can tell what you’ve typed.
    Ummm, don’t tell anyone, ok?

    • madog says:

      @B: it’s cool that The Consumerist can block passwords like that. Like I’ll just type in my password ****** and you guys only see it as stars. You guys should try it out too. It’s a feature of Web 2.0!

  10. durkzilla says:

    @wagnerism (reply link no workie in Chrome):

    That’s amazing! I have the same combination on my luggage!

  11. Anonymous says:

    I use only 3 or 4 different passwords. I generally create a new one only when I have to, because a new place requires specific numbers.

    The way I see it, though, I keep track of my credit, and it’s pretty much so bad they couldn’t make it worse. Not remembering takes more of my time, and I’m not a big worrier, so I’m not kept up at night over it.

    For PINs, I use four-letter words. I’m gonna switch it up though, soon. It’s time for a new one, but so far no one has stolen my library id, so not too big a deal.

  12. nybiker says:

    Thanks to my curiosity I just spent 2 hours looking at the pipl site. I found a few people I had lost touch with. Amazing site. Check it out if you really want to look up some stuff. Scary and fun at the same time.

  13. Evil_Otto would rather pay taxes than make someone else rich says:

    The password problem is easily solved. Use the name of the site and an algorithm to generate passwords. In other words, if the site is “the consumerist” you might make the password ‘consumerithest” or something like that.

    • wastedlife says:

      @Evil_Otto: Someone posted something similar either here or maybe Lifehacker. Their version was to make a relatively secure password that is simple to remember like “m@nK3y”. Then use a derivative of that for each site. So consumerist could be “them@nK3yconsumer”.

      Another way is to use something like KeePass along with a folder sync app like Dropbox(which is free for up to 2GB of data, more than enough for a password database). KeePass helps you create, manage and use an encrypted database of your passwords protected with a strong password (that you should change regularly). Dropbox will let you have a shared directory between all of your computers. Using both means you will always have a secure password file on all of your computers.

  14. oneandone says:

    That pipl site – very useful. Thanks for the link.

    But also cringe-inducing. It has a lot more than google results and somehow managed to dig up a lot of old usenet posts from 1997. Back when the internet was all ASCII (well, mine was….) and everyone used their full name for everything. At least I had the presence of mind to use complete sentences. But there’s nothing like reading posts from 10+ years ago to make you feel awkward. This is why I don’t keep a diary, internet! Why are you storing everything?

  15. HogwartsAlum says:

    I’m going to try that pipl thing when I get home.

    I try not to use the same password, but I have a couple of things that are. That should probably change!

    I pull them from a favorite movie, or book or something and mix them up a bit. Like for example if I were to use “Ghostbusters” (not what I really use!) it would be something like “VenkmanGB1!” so it has a number and a character too.

  16. Anonymous says:

    For Misjulled who needs 40 different passwords for all the different places. I use a formula for passwords … there is some code associated with the site or function, easy to remember like “D” for discussion list, then the “code word or phrase of the month”. That is first level of security. For really important stuff, I try not to have that on my computer, and figure out how to clear cache on rare occasions where I do need to key in something critical. This leaves the “bad habit of “Do you want your computer to remember the password for you?” and after some kind of crash, locating passwords that were on that crashed computer, and not some place else.

    I do some tech support at work, where there are maybe a dozen super-user passwords. I wrote them down & put in a sealed envelope & gave to my boss, saying to please put in safety deposit box, or otherwise secure location, not to be opened until you lose me as an employee.