March 17th, 2009
Comcast responds to passwords leak on Scribd
Comcast has responded to the recently found list of passwords hosted at the popular social publishing site Scribd. Originally claimed to be a list consisting of 8000 passwords for Comcast customers, the company now states that not only are 4000 of the passwords duplicates, but also, that only 700 of them belong to active Comcast customers.
Perhaps the result of a phishing campaign that apparently took place a long time ago, this incident highlights several important issues. For instance, the professor at Wilkes University that originally came across the list — copies of it are still available online — is disturbed by the fact that he’s using this very same leaked password everywhere else - “That isn’t just my password for Comcast, it’s my password for everything that is not tied to my credit card,”. Bad password management practices are clearly in place, but how relevant are these best practices in a situation where the host is already compromised by malicious software? A rhetorical question.
- Go through related Comcast security incidents - Comcast’s DNS records hijacked, redirect to hacked page; How was Comcast.net hijacked?
In a recently released Gartner document entitled “Consumers Don’t Want to Change the Ways They Manage Online Passwords” the analysts try to raise awareness on the fact that users continue using the same (weak) passwords across different web sites. And whereas the document is reasonably emphasizing on the well known insecure practice, it excludes a simple truth - that a password’s strength and diversity of different passwords across web sites, becomes irrelevant practice once a host gets compromised.
Comcast is in a process of notifying the affected customers. Looks like phishing as usual, with an odd choice for hosting the collected data on behalf of the campaigners.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
