Earlier this week it was reported that a list of Comcast customers’ usernames and passwords, 8,000 entries long, was exposed on a public website for at least two months. A man by the name of Kevin Andreyo who works as a professor at Wilkes University came across the list while performing a search for his own personal e-mail address. The search dug up a website called Scribd which is a document sharing site that housed the list of 8,000 user names and passwords including Mr. Andreyo’s.
Reportedly the list had been viewed “over 345 times and downloaded 27 times.” This in it of itself is a relatively small number but means that the list is still out there and can be shared again or even added to.
A spokesperson for Comcast commented stating that the list contained only 700 active accounts and that the rest were either dead or not Comcast customers. She also stated she does not believe the breach came from within the company because the manner in which the list was created was sloppy.
Comcast can downplay this as much as they’d like but it sounds to me like, at least, 345 people got their hands on a seriously dangerous resource. At the safest end of the spectrum of what could happen with this, people can add to their lists of known usernames and more importantly list of known passwords. I’ve seen what a wordlist compiled of actual passwords can do and 8,000 attempts would fly by in less than 3 or 4 seconds.
Also if only a fraction of items on the list were Comcast customers, what were the other items customers of? Chase? Bank of America? AIG executives?
I guess it’s just a good thing that it was only up for two months, as far as we know, even though that is two months too long.
[tags]comcast, password leak, inadequate response, corporate bullshit[/tags]
