Personal information of millions of cable customers was left vulnerable to hacking. It took a security researcher and BuzzFeed News to discover and report the bug to Comcast Xfinity.
Buzzfeed News reports:
Comcast Xfinity inadvertently exposed the partial home addresses and Social Security numbers of more than 26.5 million customers, according to security researcher Ryan Stevenson, who discovered the security flaws. Two previously unreported vulnerabilities in the high-speed internet service provider’s online customer portal made it easy for even an unsophisticated hacker to access this sensitive information.
After BuzzFeed News reported the findings to Comcast, the company patched the flaws. Spokesperson David McGuire told BuzzFeed News, “We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.”
While Comcast has not found any foul play yet, its review is ongoing.
One of the flaws could be exploited by going to an “in-home authentication” page where customers can pay their bills without signing in.