(Blog has been updated to reflect additional information from the New York Times and Comcast since originally being posted on Tuesday morning)
Confidential Comcast customer passwords and usernames appear to have been posted to a Web site where the data went largly undetected by Comcast for more than two months, according to a report by the
New York Times
. And it was an alert PC World reader who helped uncover the data, when a document containing what appeared to be 8000 e-mail accounts and passwords was found on Scribd.com, according to the New York Times
. The New York Times has since updated its report and now says 700 (not 8000) users had their information posted to the Web site.
After reading the PC World article “People Search Engines: They Know Your Dark Secrets… And Tell Anyone,” a concerned Kevin Andreyo tracked his name to see where his information was being disseminated. It was on Scribd that Andreyo discovered the document that contained the sensitive Comcast data; it had been viewed over 345 times and downloaded 27 times. Scribd has since removed the document, but apparently only after contacted by the Times.
When confronted with the problem, Comcast blamed a phishing scam. The company also pointed out that many of the 8000 entries were duplicates, and conservatively lowered the number to 4000 exposed user accounts, according to the original Times report. Comcast denied the hack was internal, claiming that if it were an internal document, it would contain much more information than just e-mail addresses and passwords, and probably would have been better organized.
DSLReports.com nabbed a statement from Comcast that claims the total number of impacted customers is 700. Comcast says the data breach was the result of “a phishing scam or some kind of malware that affected customer computers.” Comcast has frozen the afflicted accounts and is contacting individuals with information about where to download the McAfee Security Suite, which is free for Comcast subscribers.
It’s interesting to me that Comcast can claim this is not an internal job. My opinion is if it were a wider-ranging phishing scam, wouldn’t e-mail accounts for users other than Comcast appear on the list? Why would a phishing scam target only Comcast.net users?
There’s also quite a discrepancy when it comes to the number of afflicted customers. Eight thousand to 4000 to 700? Seems to me that Comcast is playing the PR game, which you can hardly blame them for doing.