Xfinity August 2018 security vulnerability: Everything you need to know
Comcast's Xfinity internet/TV/home phone service is one of the most popular across the United States, and according to a report from BuzzFeed News, two individual security vulnerabilities left the social security numbers and home addresses of all 26.5 million subscribers exposed and accessible to even novice hackers.
Comcast says that there's no reason to believe any information was actually stolen, but even so, here's what you should know about what's going on.
What happened?
The first of the two vulnerabilities allowed attackers to obtain customers' full addresses using Comcast's in-home authentication system.
When connected to your home Xfinity network, you could log in to pay your bill by simply selecting the correct address from a list of five (see the picture above).
As BuzzFeed News notes in its article:
The second vulnerability has the potential to be even more damning as it exposed the last four digits of social security numbers,
On the log-in page for Comcast Authorized Dealers (Comcast employees that are selling the service at other retailers), the "Exisitng Customer Address" page asks for a user's address, last four digits of their SSN, account pin, and drivers license number.
Be an expert in 5 minutes
Get the latest news from Android Central, your trusted companion in the world of Android
The last four social security number digits are shown on this page, and by just having the billing address of a customer, an attacker could use a brute-force attack to repeatedly enter four-number combos until they got the right match. Per BuzzFeed News:
What you can do to protect yourself
The in-home authentication system has since been disabled after Comcast was informed of the vulnerability, and for the Authorized Dealer log-in, Comcast says it's placed "a strict rate limit on the portal" to prevent it from being abused.
Although Comcast is still conducting an investigation into the matter, the company says it doesn't believe any information was wrongfully used.
Even so, it's never a bad idea to update your password or start using two-factor authentication for all your online accounts when something like this pops up. In these situations, you can never be too safe.
Joe Maring was a Senior Editor for Android Central between 2017 and 2021. You can reach him on Twitter at @JoeMaring1.