Use Comcast? Change Your Password
Having strong passwords that are frequently changed is the first line of defense against being on the receiving end of a compromised user account. This is the lesson being learned by a number of Comcast customers this week, as the appearance of a mass login list prompts the company to begin freezing accounts.
The list in question was posted to file-sharing site Scribd some two months ago, but it wasn't until midday yesterday — after a New York Times reporter began asking questions — that the site's administration finally removed it from circulation. The document reportedly contained over 8,000 lines, though due to duplication, it was estimated that the list contained the information of around 4,000 users — Comcast claims only 700 of the accounts in the list belong to current Comcast customers. The company believes that phishing attacks or other forms of password lifting were responsible for the compromised credentials, rather than an inside job.
The situation came to light after a Wilkes University professor read a PC World article about search engines like Pipl that specialize in information about individuals. Curious, the professor, Kevin Andreyo, searched for information about himself and discovered the list on Scribd, complete with his email address and current password. Andreyo in turn contacted the FBI and Comcast on Monday morning — along with a number of technology journalists, including the New York Times' Brad Stone. It wasn't until Stone contacted Scribd several hours later that the site finally pulled the list, though it had already been viewed several hundred times — and downloaded a few dozen — in the two months it was on the site.
According to reports, Comcast has frozen all the compromised accounts, and will be educating the users about safe password practices. It's likely that Comcast accounts weren't the only to be compromised, at that: Andreyo — who in addition to his role as professor is also described as an "educational technology specialist" — revealed that he, like many, used the same password everywhere else online. It is a chilling reminder to everyone how important it is to properly protect ones passwords and to operate in a safe and secure manner — even to those of us quite aware we ought to know better.