Comcast responds to passwords leak on Scribd

Perhaps the result of a phishing campaign that apparently took place a long time ago, this incident highlights several important issues. For instance, the professor at Wilkes University that originally came across the list -- copies of it are still available online -- is disturbed by the fact that he's using this very same leaked password everywhere else - “That isn’t just my password for Comcast, it’s my password for everything that is not tied to my credit card,”. Bad password management practices are clearly in place, but how relevant are these best practices in a situation where the host is already compromised by malicious software? A rhetorical question.

• Go through related Comcast security incidents - Comcast's DNS records hijacked, redirect to hacked page; How was Comcast.net hijacked?

In a recently released Gartner document entitled "Consumers Don't Want to Change the Ways They Manage Online Passwords" the analysts try to raise awareness on the fact that users continue using the same (weak) passwords across different web sites. And whereas the document is reasonably emphasizing on the well known insecure practice, it excludes a simple truth - that a password's strength and diversity of different passwords across web sites, becomes irrelevant practice once a host gets compromised.

Comcast is in a process of notifying the affected customers. Looks like phishing as usual, with an odd choice for hosting the collected data on behalf of the campaigners.