Passwords of Comcast Customers Exposed

By Brad Stone

A list of user names and passwords for customers of Comcast, one of the nation’s largest Internet service providers, sat unprotected on the Web for the last two months.

The list was 8,000 lines long, but Comcast said late Monday that just 700 of those lines contained information for active customer accounts.

Kevin Andreyo, an educational technology specialist in Reading, Pa., and a professor at Wilkes University, came across the list Monday on Scribd, a document-sharing Web site.

Mr. Andreyo was reading a recent article in PC World entitled “People Search Engines: They Know Your Dark Secrets… And Tell Anyone,” when he was inspired to find out what information about him was online. He searched for his own e-mail address on the search engine Pipl.

The list on Scribd was one of four results, and it also included his password, which was a riff on his love for a local sports team. Statistics on Scribd indicated that the list, which was uploaded by someone with the user name vuthanhan2004, had been viewed over 345 times and had been downloaded 27 times.

Mr. Andreyo informed Comcast, the F.B.I. and several technology journalists about the file on Monday morning, but the document disappeared only at 1:45 p.m. when I contacted Scribd about it.

“That isn’t just my password for Comcast, it’s my password for everything that is not tied to my credit card,” Mr. Andreyo said in an interview. “It’s one thing to publish a credit card number, but to hand over user IDs and passwords for accounts is another. Someone could just go in and pull up all your archived messages, and then they have everything about you.”

I have asked Comcast how the information got online. It is possible that the people on the list divulged their passwords in response to some kind of phishing message, and that Comcast itself is not to blame.

Update: Comcast said it did not believe the information came from inside the company, pointing to duplicated data on the list and the lack of structured information like account numbers.

“We have no reason to believe this came from Comcast. It looks like a phishing or related type of scheme,” said Jennifer Khoury, a Comcast spokeswoman. (Asked about this possibility earlier today, Mr. Andreyo said that he doubted he was ever the victim of a phishing scheme.)

Ms. Khoury said that Comcast was freezing the e-mail accounts of the customers on the list and contacting them to educate them about using safe passwords. She said the company would also urge them to download McAfee Security Suite, software that is made available free to all Comcast users.

Update: Ms. Khoury said in an e-mail message late Monday: “We have scrubbed the list that was on ScribD and have found that about 700 names are user ID’s that are for Comcast customers not 8,000. The other names on the list are either not customers, duplicates or older inactive accounts (no e-mail address currently).