36 Million Customers Affected In Massive Comcast Data Breach

2023-12-20 • SEND FEEDBACK |
Related: Anon MD, passphrase, security

re: security

Never use the same or similar password for more than one login. Every login should have a different password, the more random the better.

...

Does anyone NOT despise Comcast, AT&T, etc? And now this.

Where is my financial compensation? Why is there no law that costs these companies at least $100 per customer ($1000 would be better) for such incompetence? They would understand that message, and make sure this nonsense did not happen.

I have not received a notice about this breach from Comcast, perhaps because I am a business customer. As yet I am unsure if I was somehow not affected, or it is further Comcast incompetence.

36 Million Customers Affected In Massive Comcast Data Breach

Xfinity notified federal law enforcement and initiated an investigation into the nature and scope of the incident. On November 16, Xfinity determined that information was likely acquired. After additional review of the affected systems and data, Xfinity concluded on December 6, 2023, that the customer information in scope included usernames and hashed passwords; for some customers, other information may also have been included, such as names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers. However, the data analysis is continuing.

Xfinity has required customers to reset their passwords to protect affected accounts. In addition, Xfinity strongly recommends that customers enable two-factor or multi-factor authentication to secure their Xfinity account, as many Xfinity customers already do. While Xfinity advises customers not to re-use passwords across multiple accounts, the company is recommending that customers change passwords for other accounts for which they use the same username and password or security question.

Customers with questions can contact Xfinity’s dedicated call center at 888-799-2560 toll-free 24 hours a day, seven days a week. More information is available on the Xfinity website at www.xfinity.com/dataincident.

MPG: as a reminder to readers there are a few key rules to follow with logins.

The first one is to use a different login name for each site. But feckless asshole companies do not allow you to do this, requiring your email. Thus exposing half of the required information right off the bad. This is an industry-wide worst practice.

They top that off that stupidity by limiting length of passwords (eg Comcast does), requiring asinine “secret questions” that you cannot help but share among different websites because the questions are almost always the same with no choice to create your own. Another industry worst-practice.

Companies with these Worst Practices stuff should be liable for $10K per customer. This will never happen, because they spend enormous sums buying off legislatures, federal and state—follow the money.

Anon MD writes:

Follow the money. 36,000,000 x $1,000 = $36 billion fine. 1% of that is $360 million. 435 House members + 100 senators = 535 congressmembers. Or $672,897 per person. The lobbyists may spread the money out differentially, but enough so that no vote will ever pass.

As for the personal questions, you have got make stuff up. Like, “Who’s your favorite movie star?” How about “ yhsD3/&€8BxwWO7:dUffGht” and store that in your password manager so you can have a different random string for each idiotic question that an incompetent private detective could otherwise find the answer to with a good guess or a two minute data search.

There has ultimately got to be a better way of securing our accounts. I bet 10% of the passwords were “superman” with some variation in capitalization. Or maybe “password1”. Feckless morons, indeed. 

MPG: Congress is bought and paid for on all isuses where money is at stake. Congress does not work for use, at least not in my lifetime. Congress is worse than useless as a result.

Agreed on the “make your own question” thing, but on 9 of 10 sites, the site not only requires those security-undermining questions, but does not allow creating your own questions... yet another Worst Practice. One almost might start to think they don’t really care about your security.

Passkeys are supposed to solve some of this, but those do no good at all when companies follow these Worst Practices. From what I can tell, passkeys are mostly a solution in search of a problem. The #1 issue today is about Worst Practices, which Comcast follows odiously.