Change your passwords: Comcast hushes, minimizes serious hack

Change your passwords: Comcast hushes, minimizes serious hack

Summary: Opinion: Comcast took a page from Snapchat's playbook to hush and downplay NullCrew FTS' successful hack on dozens of Comcast's servers — from an unpatched, easy-to-fix vulnerability dated December 2013 — which most likely exposed customer data.

TOPICS: Security

Are you a Comcast customer? Please change your password.

On February 6, NullCrew FTS hacked into at least 34 of Comcast's servers and published a list of the company's mail servers and a link to the root file with the vulnerability it used to penetrate the system on Pastebin.

comcast hack

Comcast, the largest internet service provider in the United States, ignored news of the serious breach in press and media for over 24 hours — only when the Pastebin page was removed did the company issue a statement, and even then, it only spoke to a sympathetic B2B outlet.

During that 24 hours, Comcast stayed silent, and the veritable "keys to the kingdom" sat out in the open internet, ripe for the taking by any malicious entity with a little know-how around mail servers and selling or exploiting customer data.

Comcast customers have not been not told to reset their passwords. But they should.

Once NullCrew FTS openly hacked at least 24 Comcast mail servers, and the recipe was publicly posted, the servers began to take a beating. Customers in Comcast's janky, hard-to-find, 1996-style forums knew something was wrong, and forum posts reflected the slowness, the up and down servers, and the eventual crashing.

The telecom giant ignored press requests for comment and released a limited statement on February 7 — to Comcast-friendly outlet, broadband and B2B website Multichannel News.

The day-late statement failed to impress the few who saw it, and was criticized for its minimizing language and weak attempt to suggest that the breach had been unsuccessful.

From Comcast's statement on Multichannel's post No Evidence That Personal Sub Info Obtained By Mail Server Hack:

Comcast said it is investigating a claim by a hacker group that claims to have broken into a batch of the MSO email servers, but believes that no personal subscriber data was obtained as a result.

"We're aware of the situation and are aggressively investigating it," a Comcast spokesman said. "We take our customers' privacy and security very seriously, and we currently have no evidence to suggest any personal customer information was obtained in this incident."

Not only is there a high probability that customer information was exposed — because direct access was provided to the public for 24 hours — but the vulnerability exploited by the attackers was disclosed and fixed in December 2013.

Just not by Comcast, apparently.

Vulnerability reported December 2013, not patched by Comcast

NullCrew FTS used the unpatched security vulnerability CVE-2013-7091 to open what was essentially an unlocked door for anyone access to usernames, passwords, and other sensitive details from Comcast's servers.

NullCrew FTS used a Local File Inclusion (LFI) exploit to gain access to the Zimbra LDAP and MySQL database — which houses the usernames and passwords of Comcast ISP users.

"Fun Fact: 34 Comcast mail servers are victims to one exploit," tweeted NullCrew FTS.

If you are a Comcast customer, you are at risk: All Comcast internet service includes a master email address.

Even if a customer doesn't use Comcast's Xfinity mail service, every Comcast ISP user has a master email account with which to manage their services, and it is accessible through a "Zimbra" webmail site.

This account is used to access payment information, email settings, user account creation and settings, and any purchases from Comcast's store or among its services.

With access to this master email address, someone can give up to six "household members" access to the Comcast account.

NullCrew taunted Comcast on Twitter, then posted the data on Pastebin and taunted the company a little bit more.

Because there were "no passwords" on the Pastebin, some observers believed — incorrectly — that there was no serious risk for exploitation of sensitive customer information.

NullCrew FTS: 2 — big telecoms: 0

On the first weekend of February 2014, NullCrew FTS took credit for a valid hack against telecom provider Bell Canada.

In the first strike of what looks like it'll be a very successful campaign to cause pain and humiliation to big telecoms, NullCrew FTS accessed and exposed more than 22,000 usernames and passwords, and some credit card numbers belonging to the phone company's small business customers.

Establishing a signature game of cat and mouse with clueless support staff, NullCrew FTS contacted Bell customer support two weeks before its disclosure.

Like Comcast's robotic customer service responses to NullCrew FTS on Twitter, Bell's support staff either didn't know how to report the security incident upstream, had no idea what a hacking event was, or didn't take the threat seriously.

Bell also tried to play fast and loose with its accountability in the security smash and grab; it acknowledged the breach soon after, but blamed it on an Ottawa-based third-party supplier.

However, NullCrew FTS announced the company's insecurities in mid January with a public warning that the hackers had issued to a company support representative about the vulnerabilities.

NullCrew FTS followed up with Bell by posting a Pastebin link on Twitter with unredacted data.

A page from Snapchat's playbook

Just over a month ago, popular social media sharing app Snapchat was the subject of headlines and the target of public scorn when hackers (Gibson Security) posted multiple known exploits after warning the company about its security holes, and having the problems ignored.

Snapchat further attempted — badly — to ignore press and public when the hackers later published details about Snapchat's security holes (some which still call into question the validity of Snapchat's userbase) and released to the world a few very active Snapchat database exploits.

On Christmas Day 2013, headlines reported: Researchers publish Snapchat code allowing phone number matching after exploit disclosures ignored.

Less than a week later, the database exploits and recipes for access were used maliciously against Snapchat customers when the world read: Predictably, Snapchat user database maliciously exposed.

Snapchat hung its userbase out to dry.

It look like Comcast has, too.

It's a reprehensible playbook, void of accountability and rife with risk for the only people involved who can't do a damn thing to protect themselves.

I think the situation demands we ask the question: What else isn't Comcast doing?

Perhaps Comcast should change its tagline.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Surprised anything works at Comcast

    As a Comcast broadband customer. I am always surprised anything works at Comcast.
    They can just barely keep their stuff together to call themselves a Internet Provider. because I am basically stuck with them as a provider, I try not to dwell on their incompetence.
    • I have had very good luck wiht them in recent years but my ...

      ... father-in-law has not (He lives in a much older neighborhood than I). My sister-in-law lives in a very old neighborhood in Atlanta and she has lots of trouble. The problems Comcast has are often tied to aging infrastructure. If you want to get good service in an old neighborhood, you have to pay attention to what the services people are doing and, if they have to come out more than once. Ask to speak to a manager and insist that they fix the problem - no matter where it is. Unless it is inside your walls, it is there problem so they will try to blame you when it is there problem. Make them prove it!
      M Wagner
    • I never had a problem with their service or support in twelve years.

      But several of their sales phone representatives lied to me about terms and conditions at different times, and most importantly there is no way to downgrade service through their customer website. Rather than argue with a sales representative on the phone, I downgraded by switching television providers. I'm stuck with Comcast for broadband.
  • Surprised anything works at Comcast

    As a Comcast broadband customer. I am always surprised anything works at Comcast.
    They can just barely keep their stuff together to call themselves a Internet Provider. because I am basically stuck with them as a provider, I try not to dwell on their incompetence.
  • Change which passwords?

    I don't use Comcast, but I shared it on Facebook since I'm sure I have plenty of friends who do and I think it's invaluable for them to know. However, a non-technical friend quickly replied, "Change which passwords? Wifi? Non-comcast email? Website? All the things?" That's a great question that I bet most Comcast customers won't know the answer to. A non-technical person won't know if this kind of breach means they should just change the password they use to get to their Comcast account and billing information, or if it also includes their Comcast email, or if it means every password they use online might be compromised. And, as a technical person, I don't really know either, and Comcast sure isn't saying.

    It's probably safe to assume that customers' non-Comcast passwords weren't compromised, at least for SSL-only sites like Facebook and Amazon, but if they use the same password for Comcast as they do for e.g. Facebook, they might want to change their Facebook password too. I'd also be concerned about security questions, especially since those are more likely to be stored insecurely. Again, a little transparency from Comcast would be really helpful for customers, but I doubt we're going to see it. If you could provide a little more guidance for non-technical readers about which passwords they need to worry about, though, I think it would be a great service.
    • definitely only those passwords you use to gain access to Comcast ...

      ... services on the website.
      M Wagner
    • You nailed it: Comcast services passwords and any related services

      @jrunning - Your question is one at the back of my mind the entire time I was working on this article. I think that the least Comcast could have done, or do now, is point us to any safety/security basics like which passwords to change. I think that can do this without compromising which areas of their environment were owned.

      You answered it perfectly:

      "It's probably safe to assume that customers' non-Comcast passwords weren't compromised, at least for SSL-only sites like Facebook and Amazon, but if they use the same password for Comcast as they do for e.g. Facebook, they might want to change their Facebook password too. I'd also be concerned about security questions, especially since those are more likely to be stored insecurely."

      To sum - though it is ridiculously broad:

      * MINIMUM: All Comcast and Comcast/Xfinity services
      * MINIMUM: All email accounts with or under Comcast/Xfinity
      * Suggested: Comcast master account username (eHow has easy tutorials)
      * Suggested: Any connected billing information passwords

      Also possibly:

      * Suggested: Any services with similar/same passwords
      * Suggested: Any connected services and devices connected with or used for those services

      I would also log into my connected billing for Comcast/Xfinity services (like your connected credit card) and put an alert for unusual activity if possible, or just personally monitor the connected billing account frequently for activity. Make sure your autopay is an account that covers fraudulent activity - just in case.

    The problems is static passwords not hackers.
    As long as we keep storing static passwords on large servers we will be victimized when the servers we use get hacked.
    We need to move to one time passwords to protect ourselves from sloppy careless server system administrators.
    See this for a better explanation:
    • Yes, exactly

      @kwjennings - Yes yes yes, you are so right about static passwords. Thank you for posting this.
      • Static passwords

        The Urqi thing, or any good physical key, is great as long as you don't lose it, and keeping passwords on different sites different is always a good idea, but the idea that you need to change your password every xx days is no longer a decent one. Yes, cracking code can test hundreds of thousands potential passwords per second...if they have the hash file. If they don't have the hash and try to do that kind of volume against any site that has even basic security, you'll have the account locked or at least the login attempts delayed within milliseconds, making a brute force attack impossible. If they have the hash, it doesn't matter how often you change it, they're going to get it.
        • Static passwords and two-factor authentication

          I so agree that changing passwords often is better than a static password, but like Scarbarough states, any kind of single sign on solution is vulnerable whether you change your password often or not. I use a password manager called LastPass which creates really strong, individual passwords for all of my accounts and saves them in a "vault" which is protected with Toopher, a two-factor authentication solution. Toopher uses an app on my phone where I can authorize a sign on, ensuring that it is me who's trying to get into my account. I feel so much safer with both levels of protection and I'd highly recommend it to anyone with multiple accounts across the web.
  • Comcast clueless

    Just got off the phone with Comcast. Neither rep I talked to seemed to know about the breach. When I mentioned the hack they each responded with a perfunctory 'Uh Huh'. My account had been 'temporarily' put on hold till I called them to ask for assistance in changing my password. (Meaning they had to give me a temporary password then I was able to log on and change that one.) Reps were very pleasant and wanting to help just a bit clueless having to check with someone else on each of the steps to change my password. Maybe Monday's are New Employee Day.
  • Hmm, I tried to login in yesterday, never could, always timed out

    thought that was weird, will be changing pwd, even though it should be stored as a hash.
  • FYI, the 'CVE' link in this article is bad, remove "s" from "https"

    Violiet, your "CVE" link is bad. Please remove the "s" from "https"
    Here's part of the line that needs to be changed:
    "...vulnerability CVE-2013-7091 to "

    Your link points to "https://" and that link breaks but, without the 's,' the link works fine.
    • Thank you!

      Fixed :)
  • And these are benevolent hackers

    Nullcrew FTS and such others are trying to make the ISPs and other companies aware that they have vulnerabilities and get them to make their systems more secure for their users.

    But what if it had been a malicious crew who decided to find a flaw and really exploit it? The companies involved would have lost (possibly) millions of dollars, a haig percentage of their users who would not trust them anymore and even the users themselves could have found their credit totally valueless.

    When are the companies who hold so much power going to do the right thing and make their systems really secure?

    That is the reason I do NOT and never will have an account on any of the social media.
    • Benevolent?

      What's so benevolent about posting the flaw so that non-benevolent hackers have access to it? How about just informing Comcast that there's a flaw in their system?
      • Re: Benevolent

        This is because many companies/organizations will not take the warnings seriously, as mentioned a few times in this article! If they do not take the warning/information seriously AND act on it, then the only way to get them to change anything is to make it public information. Then all of a sudden, many of these organizations are real quick to make those changes!!
        • "warnings"

          They sent "warnings" to some generic Comcast support forum, and when the generic first-level support person didn't respond to the warning by putting Comcast on instant high alert, they posted the exploit with the link captioned "have fun everyone."

          Yes, the problem shouldn't have been there in the first place, and it should have been patched in a timely fashion, and Comcast (and other companies) need better ways of dealing with these problems (before, during and after security issues), but this group aren't benevolent whitehats responsibly trying to push a slow-moving corporation into doing right by its customers.
      • Good reason why

        Kind of naive eh? You must be a believer. Believe in God but everyone else pays cash. I guess that is not a sarcastic comment on Comcast. Hackers already have access. If you haven't noticed there is no such thing as security just relative levels of insecurity. This is nothing new.