Comcast gets hacked

[Donut417]

Summary

 

Customers were prompted at log in to change their passwords. This store first broke at DSLreports.com when user were posting they were prompted to change their passwords. Also should mention that some parts of the Accounts portion of the site does not function correctly. Some people are reporting their cable modems not showing up. I have seen that my historical data for data usage is no longer coming up.

 

Quotes

Quote

What Happened? On October 10, 2023, one of Xfinity’s software providers, Citrix, announced a
vulnerability in one of its products used by Xfinity and thousands of other companies worldwide. At the time
Citrix made this announcement, it released a patch to fix the vulnerability. Citrix issued additional mitigation
guidance on October 23, 2023. We promptly patched and mitigated our systems.

Quote

The unauthorized access led to customer information that was “likely acquired,” including usernames, hashed passwords, contact details and last four digits of social security numbers, the company said.

My thoughts

Firstly Comcast throwing someone under the bus. Nothing is ever their fault. That all being said, not really surprised. I guess the good news is they didnt get any payment info. Comcast tries to push people for paperless billing/auto bill pay but giving a $10/m discount. Not all users will have their Social Security numbers on file. We have had service with Docsis Cable internet since before Comcast acquired the local provider, so they didnt have my mom's social security number as she didnt provide it to the old provider. As far as contact details, I would think that our address is probably part of public record and or has been leaked multiple times because T Mobile gets breached like yearly and who knows what they got when Equifax got breached. I figure every shady telemarketer has our phone numbers, I just dont answer to numbers I dont know.

 

I wonder what bullshit thing they are going to provide to compensate customers? A year of credit monitoring? A $5 credit? My mom already got a free year of credit monitoring when our healthcare provider got hacked. We need to come up with better solutions to help mitigate this bullshit.

 

Sources

Quote

PDF directly from the Comcast Website

 

https://nypost.com/2023/12/18/business/comcasts-xfinity-warns-customer-information-likely-acquired-in-hacking-incident/

[TempestCatto]

8 minutes ago, Donut417 said:

Comcast throwing someone under the bus. Nothing is ever their fault.

I blame Colton. Guess he's fired now

[Fasterthannothing]

How will we know if we are affected? Also anyone know where in the account can you check if your social is recorded somewhere. I can't remember if I had to give them one when I setup my account. I don't think so .

[Donut417]

Just now, Fasterthannothing said:

How will we know if we are affected? Also anyone know where in the account can you check if your social is recorded somewhere. I can't remember if I had to give them one when I setup my account. I don't think so .

You probably wont know for sure. They will likely provide a year of credit monitoring but that being said, you cant do much with the last 4 digits of the SSN, you need the other 5 if your going to do stuff. In my opinion just assume you are effected. With the amount of companies who are breached each year, I mean how many times has your info been leaked? I know mine has been leaked multiple times. I check my credit regularly thru Credit Karma and my employer providers ID Theft Protection thru All State.

[Fasterthannothing]

9 minutes ago, Donut417 said:

You probably wont know for sure. They will likely provide a year of credit monitoring but that being said, you cant do much with the last 4 digits of the SSN, you need the other 5 if your going to do stuff. In my opinion just assume you are effected. With the amount of companies who are breached each year, I mean how many times has your info been leaked? I know mine has been leaked multiple times. I check my credit regularly thru Credit Karma and my employer providers ID Theft Protection thru All State.

Yeah at this point I just accept it as a fact all my info is floating online somewhere. The have I been pwnd website reads like a book now instead of what used to be a few sentences. 

[OhioYJ]

41 minutes ago, Fasterthannothing said:

 I can't remember if I had to give them one when I setup my account. I don't think so .

Alot of cable / utility companies will ask for a social once when you first sign up for service as they run a credit check. So it's likely they do have it. 

[StDragon]

2 hours ago, Fasterthannothing said:

How will we know if we are affected?

 

1 hour ago, Donut417 said:

You probably wont know for sure. 

Close to 36 million accounts. Feeling lucky?

 

If Comcast (Xfinity) is your ISP, you'll want to change your account password immediately. Some have reported strange scam calls claiming to be from Comcast and referencing billing info (including last payment) as proof. In reality, the scammer probably logged into the account to obtain as much information prior to calling the victim.

If a Comcast rep calls you, hang up and call the real support number directly. Don't fall for spoofed caller ID info.

[leadeater]

48 minutes ago, StDragon said:

If a Comcast rep calls you

Pro tip, they won't like most other large corporates. Just remember "you" aren't worth being called and would be a waste of time, resources and money when a late payment email or letter can be sent for example.

[StDragon]

10 minutes ago, leadeater said:

Pro tip, they won't like most other large corporates. Just remember "you" aren't worth being called and would be a waste of time, resources and money when a late payment email or letter can be sent for example.

True...unless they're trying to sell you something.

 

That's the danger here. Comcast has officially announce raising prices. If I was a scammer (playing the devil's advocate for a moment), I would use this to negotiate with the victim to hand over sensitive payment info to "lock in" a new low rate. And you know people will fall for this.

[wanderingfool2]

4 hours ago, Donut417 said:

Firstly Comcast throwing someone under the bus. Nothing is ever their fault.

I mean if the attacker got in because of 3rd party software and it's a piece of software that is widely used in the industry it's not entirely their fault (depending).

 

With that said, I think it really highlights that every piece of software installed should be considered a vulnerability.  It's unfortunate that we are in a state these days where things are also so connected or requires certain things with online functionality/complexities.  Just like when SolarWinds was compromised.

[leadeater]

1 hour ago, wanderingfool2 said:

I mean if the attacker got in because of 3rd party software and it's a piece of software that is widely used in the industry it's not entirely their fault (depending).

 

With that said, I think it really highlights that every piece of software installed should be considered a vulnerability.  It's unfortunate that we are in a state these days where things are also so connected or requires certain things with online functionality/complexities.  Just like when SolarWinds was compromised.

13 day turn around from notification and patch release to actually getting it installed is not bad, also the breach happened after 6 days. You can't just take systems down and patch them without proper process.

 

Also Citrix support just isn't that good, I'd also say mitigation information should have been available at public disclosure precisely because you can't just take systems down and patch.

[StDragon]

7 hours ago, wanderingfool2 said:

I mean if the attacker got in because of 3rd party software and it's a piece of software that is widely used in the industry it's not entirely their fault (depending).

"Citrix Bleed" has been known since Oct 10th. Unless it's been exploited prior, Comcast should have planned and updated accordingly. However Comcast did say the breach occurred on Oct 16th, so that would have given them less than a week.

https://www.cisa.gov/guidance-addressing-citrix-netscaler-adc-and-gateway-vulnerability-cve-2023-4966-citrix-bleed

 https://nvd.nist.gov/vuln/detail/CVE-2023-4966

[wanderingfool2]

11 hours ago, leadeater said:

13 day turn around from notification and patch release to actually getting it installed is not bad, also the breach happened after 6 days. You can't just take systems down and patch them without proper process.

 

Also Citrix support just isn't that good, I'd also say mitigation information should have been available at public disclosure precisely because you can't just take systems down and patch.

Yea, that's why I was saying it's not entirely Comcast's fault (depending).  When it comes to a vulnerable 3rd party software it can be hard to react in time; or even in this case it seems like mitigation suggestions weren't even released until after the breach.

 

It's why I actually dislike how so many 3rd party software/cloud connected and such is becoming almost mandatory to an extent.  As systems become more complex, it adds more vectors of attack and more areas where vulnerabilities could be overlooked.

 

Not exactly an example of this, but look at UniFi where they accidently let one user view another users camera system.  We are greatly rocketing ourselves into the world where a handful of companies create resources that essentially becomes the defacto standard.  Cloud connected routers, cloud connected security (SolarWinds), online device drivers (Ricoh once wanted me to put a device in my network so they could monitor the printers).

 

It really feels like we are building companies in a way where the compromise of one or two services could potentially create a cascading effect...if that makes sense.

[Zodiark1593]

Thankfully for me, this is one of my accounts using a random password, from my password manager, so it took a couple minutes to generate a new one. 

[StDragon]

25 minutes ago, Zodiark1593 said:

Thankfully for me, this is one of my accounts using a random password, from my password manager, so it took a couple minutes to generate a new one. 

Did you see where they let you set 128 characters? lol

[Donut417]

3 hours ago, wanderingfool2 said:

It really feels like we are building companies in a way where the compromise of one or two services could potentially create a cascading effect...if that makes sense.

The issue is these companies want info they shouldn't be allowed to have. Like a linked bank account? Why would you want the liability of storing that data? I understand there are fees with credit, but to my understanding fees for debt are on the card owner not the merchant.

 

Why do they need you SSN? I mean I could see running credit for a financing hardware but they only do that on cell phone side. If all the customer has it cable/internet/home phone, for example they are generally leasing hardware from Comcast or they buy their own.

[kirashi]

22 hours ago, Donut417 said:

I wonder what bullshit thing they are going to provide to compensate customers? A year of credit monitoring? A $5 credit? My mom already got a free year of credit monitoring when our healthcare provider got hacked. We need to come up with better solutions to help mitigate this bullshit.

While compensation is nice, I'll never be satisfied with data breaches until people who caused the breach are actually punished in a meaningful way for allowing it to occur. To be clear, I don't mean we should penalize anyone who's just "doing their job" as directed by their boss - programmers / developers / etc. only have access to the resources as provided by their boss / MaNgLeMeNt. However, a fine of $X is usually just a drop in the bucket for most companies, and doesn't incentivize executives to prevent the problem from recurring.

[leadeater]

3 hours ago, Donut417 said:

The issue is these companies want info they shouldn't be allowed to have. Like a linked bank account? Why would you want the liability of storing that data? I understand there are fees with credit, but to my understanding fees for debt are on the card owner not the merchant.

They are merchant transaction fees, often handed on the the purchaser by the merchant. Merchants that do not are absorbing the fee by choice.

 

Bank account direct debit don't actually store the bank account number and a bank account number by itself is useless anyway. What is stored is an authorization token that allows for repeated, not new, transactions and the token can't be exfiltrated and used by anyone else. The only danger in authorized direct debit bank account transactions is accounting errors and getting double charged or the wrong charge but legally those must be corrected.

 

When I got another car and I wanted to add it on to my insurance policy I just asked use the same payment details and they said that wasn't possible since they didn't store account numbers or credit card numbers so they can't just tack on new things, they have to request that information each time.

 

3 hours ago, Donut417 said:

Why do they need you SSN? I mean I could see running credit for a financing hardware but they only do that on cell phone side. If all the customer has it cable/internet/home phone, for example they are generally leasing hardware from Comcast or they buy their own.

Because if you have really bad credit or debt owing they will refuse you as a customer. Even here electricity company's will check your history for that stuff.

 

Here you don't need a SSN for that, you just have to consent to the check and your full name and current plus previous address is enough, or drivers license number.

[wanderingfool2]

7 hours ago, Donut417 said:

Why do they need you SSN? I mean I could see running credit for a financing hardware but they only do that on cell phone side. If all the customer has it cable/internet/home phone, for example they are generally leasing hardware from Comcast or they buy their own.

Probably partly to do a credit check, but also partly so they can use it to verify you are who you are.

 

Sure everyone's SSN probably has gotten leaked by now, but it means someone who grabs your bill can't just call up and pretend completely to be you and make wide sweeping changing (or if they suspect, they can ask essentially for the verification).  My cable/internet carrier used to require a PIN for that verification process...having taken over the account management before and needing the pin made it very difficult because no one could remember what the pin was (turns out it was the address).

 

7 hours ago, Donut417 said:

The issue is these companies want info they shouldn't be allowed to have. Like a linked bank account? Why would you want the liability of storing that data? I understand there are fees with credit, but to my understanding fees for debt are on the card owner not the merchant.

Well that is why you have things like PCI compliance, and 3rd parties that do take care of that for you (and those companies also being PCI compliant)...because PCI compliance is something that is crazy in terms of everything you have to do.

 

In that case, it's one of the reasons for having in this case a 3rd party, because it simplifies your security while not really adding in extra 3rd party software into your system.  Actually if implemented right the processor stuff will be pretty much isolated from the rest of your system.

 

From there it's like what LeadEater said, you would only be storing the tokens (which are valid for only a certain amount of time sometimes).  As LeadEater said though, merchant fees...boy can they add up quickly.

 

I'm actually not too against companies storing more information than they need (as long as it's not generally mandatory), I do have issues with how many different pieces of software now seems to be required to do jobs...to many potential failure points.

 

3 hours ago, leadeater said:

The only danger in authorized direct debit bank account transactions is accounting errors and getting double charged or the wrong charge but legally those must be corrected.

haha, those wrong charges can be a pain.  While legally needing to be corrected, it can really mess up people when they get hit with like $20k withdrawals and it's not corrected quickly (and getting overdraft fees).

 

6 hours ago, kirashi said:

While compensation is nice, I'll never be satisfied with data breaches until people who caused the breach are actually punished in a meaningful way for allowing it to occur. To be clear, I don't mean we should penalize anyone who's just "doing their job" as directed by their boss - programmers / developers / etc. only have access to the resources as provided by their boss / MaNgLeMeNt. However, a fine of $X is usually just a drop in the bucket for most companies, and doesn't incentivize executives to prevent the problem from recurring.

The issue is it would always be hard to assign blame, and in some cases it can be a mistake that anyone could make.

 

Any non-trivial non-small piece of software will have an exploitable flaw in it.  So who is to be punished?

 

Look at heartbleed as a prime example, where millions of servers overnight became "vulnerable" to attack.  The flaw, an easy to make mistake by the programmer/software engineer.  Should he be punished for making a mistake?  It's like writing a book, there will always be a few grammatical errors that occur...it's not possible to realistically get perfection.

 

Sure, there will be times where the flaw comes from executives making bad choices, like not paying to have a proper amount of IT staff or outsourcing all the work to less reputable companies...but at the end of the day it's hard to really figure out which exec was to blame...as sometimes they get spoon-fed marketing fluff, or othertimes the COO/CTO didn't properly convey the need for staff/software.  Sometimes it's inexperienced people who made the procedures that didnt give proper consideration.

 

So generally unless there is really something that was clear, there typically isn't anyone that you can point at.

[leadeater]

1 hour ago, wanderingfool2 said:

haha, those wrong charges can be a pain.  While legally needing to be corrected, it can really mess up people when they get hit with like $20k withdrawals and it's not corrected quickly (and getting overdraft fees).

Yea can certainly be a pain, although I don't think 20k is possible here. I don't think transactions that large are allowed to be direct debited here, not sure on that, probably depends on bank and account type.

[Donut417]

4 hours ago, wanderingfool2 said:

haha, those wrong charges can be a pain.  While legally needing to be corrected, it can really mess up people when they get hit with like $20k withdrawals and it's not corrected quickly (and getting overdraft fees).

This happen to my sister. But it was only $300. They can take the money in an instant but it always takes days before its reposed to your account. They should have a penalty that companies have to pay when the fuck up. Because for a lot of people having extra taken out can throw their entire life in to disarray, because many live paycheck to paycheck.

 

8 hours ago, leadeater said:

Even here electricity company's will check your history for that stuff.

But how can the electric company refuse you as a customer when they are a damned monopoly? Thats the reason they have to grovel at the government every time they want to do a rate increase.

 

4 hours ago, wanderingfool2 said:

but it means someone who grabs your bill can't just call up and pretend completely to be you and make wide sweeping changing (or if they suspect, they can ask essentially for the verification

If that was the case they would require it for everyone. Like I said in my post, my mom does not have her SSN on record with Comcast. We became customers when they acquired our cable company back in the day. I dont recall them having a pin on our account.

[leadeater]

54 minutes ago, Donut417 said:

But how can the electric company refuse you as a customer when they are a damned monopoly?

NZ != [insert non NZ country here] 

 

But seriously no company wants to sign up a known non-payer.

[wanderingfool2]

6 hours ago, Donut417 said:

But how can the electric company refuse you as a customer when they are a damned monopoly? Thats the reason they have to grovel at the government every time they want to do a rate increase.

Well I'm assuming that if you are denied that there is a process behind it to connect electricity...like maybe having to pay upfront etc. if your credit is declined.  Or having to accept higher rates etc.

 

9 hours ago, leadeater said:

Yea can certainly be a pain, although I don't think 20k is possible here. I don't think transactions that large are allowed to be direct debited here, not sure on that, probably depends on bank and account type.

Yea, 20k was a bit of a hyperbole...although I do recall a few news stories of it being in a few thousand...still enough to make someone's life miserable if it happens at the wrong time

 

6 hours ago, Donut417 said:

If that was the case they would require it for everyone. Like I said in my post, my mom does not have her SSN on record with Comcast. We became customers when they acquired our cable company back in the day. I dont recall them having a pin on our account.

It's like a password on a computer, it's recommended but not required everywhere.  There is less incentive as well to make people give their SSN as well if they already were a customer and hadn't provided it.

[leadeater]

14 hours ago, wanderingfool2 said:

Yea, 20k was a bit of a hyperbole...although I do recall a few news stories of it being in a few thousand...still enough to make someone's life miserable if it happens at the wrong time

Few hundred dollars would royally piss me off even if it would have basically no impact to me.

 

[Donut417]

2 hours ago, leadeater said:

Few hundred dollars would royally piss me off even if it would have basically no impact to me.

 

Many American's are a $500 to $1000 bill away from being fucked. So yeah I would piss anyone off. In my opinion if they mess up an automatic transaction like that they should have to give the customer more money back as a penalty.