Comcast breach exposes 26.5m customers’ Social Security Numbers and partial addresses

Posted on Thursday, 9th August 2018 @ 03:13 PM by Text Size A | A | A

Spread the love

Comcast Xfininty’s login page had an easily found bug that allowed anyone to gain access to the Social Security Numbers and partial home addresses of over 26.5 million customers.

Comcast spokesapologist David McGuire says the company patched the bug quickly after being notified of its existence by security researcher Ryan Stevenson, and added that the company “take[s] our customers’ security very seriously,” adding that the company didn’t think anyone had exploited the bug.

I’m going to make a guess here: the bug was the result of one of the many mergers and acquisitions that has allowed Comcast to grow to be the country’s largest and most hated cable operator, as they put profits and growth ahead of integration and security. It’s just a guess, but it’s an educated one. Merging IT systems is one of the most notoriously tricky and insecure things a corporation can do.

This vulnerability was particularly easy to exploit — and use to target someone. It’s simple to obtain someone’s IP address (or “Internet Protocol”), a string of numbers that links your internet activity to the Wi-Fi network you’re using. Web administrators can see the IP addresses of everyone who visits their website. Many forums also disclose users’ IP addresses, along with their usernames. A malicious actor can also send someone a link designed specifically to obtain a target’s IP address.

While an IP address alone is not sensitive information, paired with the knowledge of someone’s internet service provider, it can help a bad actor confirm their target’s specific location. And often, it’s fairly easy to figure out someone’s internet service provider, or ISP, because an area is typically limited to one or two high-speed internet options, thanks to the consolidation of internet companies.

In the second vulnerability that Stevenson discovered, a sign-up page through the website for Comcast’s Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers’ Social Security numbers. Armed with just a customer’s billing address, a hacker could brute-force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer’s Social Security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form.

Security Flaws On Comcast’s Login Page Exposed Customers’ Personal Information [Nicole Nguyen/Buzzfeed]

(via /.)

(Image: Abdul Rahman, CC-BY)

Related News On HuffPo Club

  • US and Soros Take Stab at Thai Elections

    Spread the love
    Spread the love Western regime change efforts have intensified ahead of upcoming elections in Thailand. Opposition groups attempting to take power and remove Thailand’s powerful, independent military from Thai politics have received extensive, well-documented funding…

  • At least 8 people were killed in a school shooting in Brazil

    Spread the love
    Spread the love Six of the victims died at the scene, two others at a hospital, according to police. Students at the school range in age from 11 to 18, officials said. Suzano police confirmed to CNN that the two…

  • Cockpit Voice Recorder From Doomed Boeing 737 Reveals Frantic Struggle to Stop Nosedive

    Spread the love
    Spread the love A doomed Ethiopian Airlines 737 Max 8 that crashed shortly after takeoff on March 10 had “clear similarities” to an October 2018 crash of the same type of airplane, according to Ethiopia’s…

  • Karadzic sentence increased to life for Bosnia genocide: UN

    Spread the love
    Spread the love United Nations judges have ordered former Bosnian Serb leader Radovan Karadzic to spend the rest of his life in prison for genocide and war crimes, increasing his original sentence of 40 years….

Disqus Comments

Specify a Disqus shortname at Social Comments options page in admin panel

Facebook Comments

G+ Comments

Default Comments

  • Hpub asks

    • Sorry, there are no polls available at the moment.