Comcast is doing some clean-up work this week on a recently discovered data breach.
An initial list of 8,000 Comcast usernames and passwords was unearthed over the weekend on the document-sharing Web site Scribd. Comcast was alerted to the list Monday and immediately had it pulled down for analysis, said Charlie Douglas, director of communications for Comcast’s high-speed Internet product. The company is now working with “the proper authorities” to investigate the leak.
After some analysis of the list, Comcast has declared that the actual number of legitimate names and passwords on the list is closer to 700 — the others are expired, repeats or otherwise unusable. The “lack of structured information” in the online list has led Comcast to point fingers at phishing scams or bots.
“We have no reason to believe that it [the list] is from within Comcast,” Douglas said. “The document in that initial analysis looked like jumbled data collected from a phishing scam or bot or some kind of machine. The list was full of duplicative or erroneous information, so that suggested to us that it was not a polished document.”
Since Monday, Comcast has been contacting by telephone customers whose usernames were identified on the list. The calls are to walk customers through a step-by-step process for creating safe passwords and downloading McAfee Security software — which is offered for free to all Comcast customers. The company is also freezing the e-mail accounts of customers on the Scribd list.
“This sort of thing happens all the time on the Internet,” noted Douglas, “and people have to be vigilant. These kinds of attacks happen, and we fight them, and we have a dedicated team to do that. Our director of security gives radio tours, and we did a satellite media tour around safe shopping at the holidays, and we will probably do another one.”
Comcast maintains a security site at Comcast.net/security, which contains information on indentifying and avoiding phishing attacks, choosing strong passwords and other online safety measures.
The New York Times has reported that the list was up on the site, unprotected, for two months before being discovered and taken down. The paper also said that the list had been viewed close to 350 times and downloaded 27 times. Douglas said Comcast had received no customer complaints or reports of the data being misused.