Comcast's Xfinity internet/TV/home phone service is one of the most popular across the United States, and according to a report from BuzzFeed News, two individual security vulnerabilities left the social security numbers and home addresses of all 26.5 million subscribers exposed and accessible to even novice hackers.
Comcast says that there's no reason to believe any information was actually stolen, but even so, here's what you should know about what's going on.
What happened?
The first of the two vulnerabilities allowed attackers to obtain customers' full addresses using Comcast's in-home authentication system.
When connected to your home Xfinity network, you could log in to pay your bill by simply selecting the correct address from a list of five (see the picture above).
As BuzzFeed News notes in its article:
If a hacker obtained a customer's IP address and spoofed Comcast using an "X-forwarded-for" technique, they could repeatedly refresh this login page to reveal the customer's location. That's because each time the page refreshed, three addresses would change, while one address, the correct address, remained the same.
The second vulnerability has the potential to be even more damning as it exposed the last four digits of social security numbers,
On the log-in page for Comcast Authorized Dealers (Comcast employees that are selling the service at other retailers), the "Exisitng Customer Address" page asks for a user's address, last four digits of their SSN, account pin, and drivers license number.
The last four social security number digits are shown on this page, and by just having the billing address of a customer, an attacker could use a brute-force attack to repeatedly enter four-number combos until they got the right match. Per BuzzFeed News:
Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form.
What you can do to protect yourself
The in-home authentication system has since been disabled after Comcast was informed of the vulnerability, and for the Authorized Dealer log-in, Comcast says it's placed "a strict rate limit on the portal" to prevent it from being abused.
Although Comcast is still conducting an investigation into the matter, the company says it doesn't believe any information was wrongfully used.
Even so, it's never a bad idea to update your password or start using two-factor authentication for all your online accounts when something like this pops up. In these situations, you can never be too safe.
