Skip to main content

PSA: Security flaws exposed partial addresses & social security numbers of 26M Comcast users

Comcast Xfinity customers are the latest to be affected by lax online security. According to a report from BuzzFeed News, more than 26.5 million customers had their partial home addresses and social security numbers exposed…

Security researcher Ryan Stevenson first uncovered the security flaws. These vulnerabilities were in Comcast’s online customer portal and made it “easy for even an unsophisticated hacker to access this sensitive information.”

BuzzFeed News informed Comcast of the security holes, and the internet provider was quickly able to patch the flaws. In a statement addressing the data breach, a Comcast spokesperson explained that it blocked the security vulnerabilities within “hours,” while also reaffirming the company’s commitment to security:

Spokesperson David McGuire told BuzzFeed News, “We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.”

One of the flaws related to an “in-home authentication page” where a user is able to pay their bills without signing in. The portal allowed customers to verify their account information based on partial home addresses suggested by the Comcast site, if the device was or appeared to be connected to the home network:

Eventually, the page would show the first digit of the street number and first three letters of the correct street name, while asterisks hid the remaining characters. A hacker could then use IP lookup websites to determine the city, state, and postal code of the partial address.

The second vulnerability was discovered via a sign-up page for Comcast Authorized Dealers. By using a customer’s billing address, a hacker could “brute force the last four digits of a customer’s social security number.” Eventually, because the page did not limit how many attempts, hackers would reveal the social security number:

Armed with just a customer’s billing address, a hacker could brute force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer’s social security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct social security number is inputted into the form.

Comcast says it is still investigating the vulnerabilities, but has yet to find any foul play thus far.


Subscribe to 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Chance Miller Chance Miller

Chance is an editor for the entire 9to5 network and covers the latest Apple news for 9to5Mac.

Tips, questions, typos to chance@9to5mac.com