590K Comcast User Passwords Stolen, Company Blames Customers

Top Tech News – by Jennifer LeClaire

Telecom giant Comcast was hacked but it refuses to take the blame. The company is being forced to reset passwords for about 200,000 customers after revelations that account information was leaked and put up for sale on the black market.

Over the weekend, the Dark Web marketplace offered up a list of 590,000 Comcast e-mail addresses and passwords. Also known as the Deep Web, the Dark Web is a slew of sites that run on darknets that require specific software or special access to reach. Hackers often use the Dark Web to sell information obtained illegally.  

The seller ponied up a list of over 100 accounts as proof it had the Comcast customer goods. The sale price was $300 for 100,000 accounts. The real bargain was $1,000 for all 590,000 accounts. According to news reports, only about 200,000 of the accounts were actually active.

Comcast Denies Responsibility

In published statements, Comcast insisted its databases and apps were not hacked. The company, instead, pointed its finger back at its customers, claiming they may have compromised themselves by visiting sites hosting malware or were otherwise tricked into revealing their passwords.

“We’re taking this seriously and we’re working to get this fixed for those customers who may have been impacted,” a Comcast spokesperson said in a statement. “But the vast majority of information out there was invalid.”

However, Comcast said because it was not hacked, it will not offer free credit monitoring to individuals affected in the incident, according to reports.

The Social Economy

We caught up with Tim Erlin, director of IT security and risk strategy at advanced threat detection firm Tripwire, to get his thoughts on the event. Unfortunately for Comcast, proving a negative is always a tough position, he told us.

“Comcast may not have any indication or evidence that these account details came from a compromise, but their customers’ details are up for sale and their name is in the headlines,” Erlin said. “Customers are increasingly part of the supply chain for the social economy. It’s in most organization’s best interest to protect their customers, even from themselves. You may not be responsible for their mobile device or laptop, but if data that’s valuable to your organization flows across it, you should have a vested interest in the security of that device.”

Comcast’s History

Comcast may be trying to throw water on a fire, given that in September the cable operator agreed to pay $33 million to settle up with California authorities after a privacy beach. That breach was smaller in scope but more potent in consequences — the names, phone numbers and addresses of 75,000 people were leaked between 2010 and 2012.

As part of the settlement, Comcast is required to shell out $25 million in penalties and investigative costs to the California Department of Justice and the California Public Utilities Commission. Comcast will also pay about $8 million in additional restitution to customers whose numbers were disclosed without permission.

“Publishing personal information that should have been unlisted is unlawful and a troubling breach of privacy,” said California Attorney General Kamala Harris in a statement. “This settlement provides meaningful relief to victims, brings greater transparency to Comcast’s privacy practices and sends a message that violations of consumers’ privacy will result in significant penalties.”


Start the Conversation

Your email address will not be published.