advertisement
Forums

The Forum is sponsored by 
 

AAPL stock: Click Here

You are currently viewing the Tips and Deals forum
son of a breach 2?!.....breach @ Comcast Xfinity......
Posted by: NewtonMP2100
Date: August 09, 2018 06:43AM
......social security # and partial addresses for 26m........


PSA: Security flaws exposed partial addresses & social security numbers of 26M Comcast users

......Comcast Xfinity customers are the latest to be affected by lax online security. According to a report from BuzzFeed News, more than 26.5 million customers had their partial home addresses and social security numbers exposed…

Security researcher Ryan Stevenson first uncovered the security flaws. These vulnerabilities were in Comcast’s online customer portal and made it “easy for even an unsophisticated hacker to access this sensitive information.”

BuzzFeed News informed Comcast of the security holes, and the internet provider was quickly able to patch the flaws. In a statement addressing the data breach, a Comcast spokesperson explained that it blocked the security vulnerabilities within “hours,” while also reaffirming the company’s commitment to security:

Spokesperson David McGuire told BuzzFeed News, “We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.”

One of the flaws related to an “in-home authentication page” where a user is able to pay their bills without signing in. The portal allowed customers to verify their account information based on partial home addresses suggested by the Comcast site, if the device was or appeared to be connected to the home network:

Eventually, the page would show the first digit of the street number and first three letters of the correct street name, while asterisks hid the remaining characters. A hacker could then use IP lookup websites to determine the city, state, and postal code of the partial address.

The second vulnerability was discovered via a sign-up page for Comcast Authorized Dealers. By using a customer’s billing address, a hacker could “brute force the last four digits of a customer’s social security number.” Eventually, because the page did not limit how many attempts, hackers would reveal the social security number:

Armed with just a customer’s billing address, a hacker could brute force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer’s social security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct social security number is inputted into the form.

Comcast says it is still investigating the vulnerabilities, but has yet to find any foul play thus far.



another...........breach.............?!



____________________________________________________

I reject your reality and substitute my own!
Options:  Reply • Quote
Re: son of a breach 2?!.....breach @ Comcast Xfinity......
Posted by: datbeme
Date: August 09, 2018 07:30AM
Why would Comcast have customers' SSNs?
Options:  Reply • Quote
Re: son of a breach 2?!.....breach @ Comcast Xfinity......
Posted by: space-time
Date: August 09, 2018 08:15AM
if you search the forum back in 2012 or so, I posted that I discovered a serious security flaw at a major corporation. yes, it was Comcast.

What happened: my modem was crapping out, so I went to target and got a NEW modem. When I opened it at home, I suspected something wasn't quite right. I think ethernet cable was missing, and some of the cable twisty ties look like they were reused. Anyway, as my old modem was not working, I plugged this new modem in and I was expecting having to call Comcast to activate... no, it just worked. I logged into my comcast account, then a few hours later when I tried to log in again I was in fact in someone else's comcast account. I could see their bills, emails, etc. I looked up their name, it was a person living in the next town over.

I guess they used that modem, didn't like it and returned it to target. Target resold it as new. Comcast still had the modem activated ("provisioned") and they used that MAC address to log into the owner account somehow. I guess once you logged in, then on the next log in they used the MAC address instead of cookies in your browser. So I ended up in that person's account.

here is the original story.

[forums.macresource.com]
Options:  Reply • Quote
Re: son of a breach 2?!.....breach @ Comcast Xfinity......
Posted by: space-time
Date: August 09, 2018 08:17AM
they ask for SSN when you sign up for mobile service for example. I guess most post-paid accounts need a SSN. They do NOT run a credit report though, at least not for me, since I had internet/cable for 10+ years and never paid the bill late.

I do not recall if 10 years ago when I got cable they asked for SSN, But they did ask yesterday when I posted my ATT iPhone to Xfinity.
Options:  Reply • Quote
Re: son of a breach 2?!.....breach @ Comcast Xfinity......
Posted by: Ombligo
Date: August 09, 2018 11:10AM
There is no valid reason for them to need a SSN. Given the issues with hacking, a company is stupid to even want that information due to liability.



“No persons are more frequently wrong, than those who will not admit they are wrong.”
-- François de La Rochefoucauld

"WE CALL BS!" -- Emma Gonzalez
Options:  Reply • Quote
Re: son of a breach 2?!.....breach @ Comcast Xfinity......
Posted by: N-OS X-tasy!
Date: August 09, 2018 12:19PM
Quote
datbeme
Why would Comcast have customers' SSNs?

To perform credit history checks, I would imagine.



It is what it is.
Options:  Reply • Quote
Re: son of a breach 2?!.....breach @ Comcast Xfinity......
Posted by: The Grim Ninja
Date: August 09, 2018 07:03PM
Quote
Ombligo
a company is stupid to even want that information due to liability.

Liability? That implies that there are consequences for breaches due to lax security. I haven't seen anything besides a minor fine, if that.
Options:  Reply • Quote
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 229
Record Number of Users: 52 on November 20, 2014
Record Number of Guests: 847 on February 04, 2015