Comcast User Names and Passwords Exposed
It is not clear if Andreyo directly contacted Scribd; but he did report his findings to Comcast, the F.B.I., and a number of journalists. Once New York Times reporter, Brad Stone, contacted Scribd, the document was pulled yesterday afternoon.
"That isn't just my password for Comcast, it's my password for everything that is not tied to my credit card... It's one thing to publish a credit card number, but to hand over user IDs and passwords for accounts is another. Someone could just go in and pull up all your archived messages, and then they have everything about you." -- Kevin Andreyo from his interview with the New York Times
Although Andreyo claims that it is unlikely he was the victim of a phishing attack, Comcast spokesperson, Jennifer Khoury, told the New York Times: "We have no reason to believe this came from Comcast. It looks like a phishing or related type of scheme." Comcast's belief that the list was not from data purloined directly from Comcast was at least in part because the list contained a lot of "duplicated data" and "the lack of structured information like account numbers." In fact, so much of the data was duplicated that Comcast estimated that the total number of exposed customers was actually around 4,000.
Later in the day, DSLReports.com also covered this story; however, the statement that DSLReports.com received from Comcast indicates that Comcast had more time to investigate the matter, and subsequently found that the damage was not quite as bad as it first seemed:
"Earlier today, we were alerted a Web site was hosting a document that reportedly contained Comcast.net customer user IDs and passwords. Based on an initial analysis of the document, we have identified that only about 700 of these accounts are real. The list was likely generated as the result of a phishing scam or some kind of malware that affected customer computers. We have no reason to believe that any Comcast systems have been compromised. The site has removed the document and we are in the process of freezing access to any customer's account on that list. We are also in the process of proactively contacting customers to let them know about this situation and the steps they can take to help protect themselves. Comcast takes customer privacy very seriously and it is precisely because of times like this that we have been providing free security software and tools for years to help customers protect themselves from phishing scams and malware." -- Comcast statement to DSLReports.com
As to how this list of 700 real Comcast customers' user names and passwords (along with, presumably, many fake accounts) made it onto Scribd, or where the data originally came from is still a mystery--and it is uncertain if we will ever learn the full, true story. We can all learn from this incident, however, to make sure that we implement safe practices when we go online. These practices include using security software with current definition files, being very wary who you share your personal information with, and using a unique, non-dictionary password for each site you have an account on--security software company, Sophos, reports that 33-percent of people use the same password for multiple websites.
Of course, these preventative measures only help us if we're the source of the leak; if the data is leaked from our service providers or by the sites we do business with, then much of our proactive behavior can be rendered useless. Somehow, the draconian alternative of never going online in the first place doesn't seem to be a viable option. In the meantime, perhaps you should try out a few of the "deep web" search engines, such as pipl and Spokeo, to see what information about you is online for the world to see... Hopefully, you won't be surprised by what you find.