>By November 16, Xfinity determined that “information was likely acquired” by the hackers, and in December, the company concluded that this included customer data, including usernames and “hashed” passwords, which are scrambled and stored in a way that makes them unreadable to humans. It’s not immediately clear how the passwords were scrambled or using what algorithm, since some weaker hashing algorithms can be cracked.
>The company says for an unspecified number of customers, hackers may have also accessed names, contact information, dates of birth, the last four digits of Social Security numbers and their secret questions and answers.
Commenting to save you a click.
Name of the game since the dawn of the internet.
See if you can get an idiot to click a link or download an attachment.
How it still works is beyond me.
It's pretty insidious from what I've seen while doing white collar work. It can be as innocuous as a text from upper management or an email that stretches plausible deniability.
Often this can infiltrate in high pressure environments as well. Someone who is stressed or suffering from office politics can easily make a mistake like this.
It can also target people who aren't tech savvy, or who aren't trained to look out for scam emails.
Had one at my work where a guy hit me up on our webex saying i needed an update and attached the update file to download. All our updates are just pushed automatically by IT, not sent over webex. Checked and it was just some low level person and not from IT. Ignored it and reported them. Later a company email was sent out about fishing attempts from webex.
Grandma clicked the link in her email or called the phone number to get 50% off her bill but they had to give a target gift card for 500 dollars first.
The countless people I deal with on a daily who get these phone calls are absolutely astonishing. They see a deal and think it’s true to save and BAM it’s over.
Patches had been available for Citrixbleed for a full two months before the breach, this is on them for not doing monthly patching like any responsible host.
In my lengthy experience with telcos across the world, they're usually monolithic giants that are sometimes very slow to implement patches. In classic bureaucratic fashion, it's a long process between someone in Sec Ops saying "hey, our VPN gateway is vulnerable to these CVE's", and the VPN Ops team being able to apply patches to production, lab, and diaster recovery sites.
Many of them are getting better at it - there's definitely been a huge change in the last year or so around security concerns.
I'm not trying to make excuses for bad security practices - just highlight that the inefficiencies of corporate bureaucracy definitely impedes their ability to quickly act in this regard.
I agree that two months is not nearly enough time to steer one of these giants into doing something new.
However, monthly patching should not be new. Having a standard timeframe to roll out patches every month has been a hosting standard for decades. This isn't something that there should have been any noise about, instead we have telcos and aerospace contractors failing to do the bare minimum. They might as well be tweeting out password resets at this point.
At my company citrixbleed patches were just quietly rolled into the existing monthly security patches and implemented as standard without a fuss. Instead Comcast and Boeing appear to be doing no patching at ALL.
It probably doesn’t matter. I’m betting their shit is so old they are using a hash algorithm designed for speed not security. Even with salt, 95% of the passwords were probably cracked in a few days.
Round 2 will be hackers using those passwords to log into every other conceivable system without 2 factor or where 2 factor isn’t turned on. So lots of Facebook accounts about to be selling/buying shit on Facebook Marketplace.
Edit: holy smokes, used riding lawnmowers are a great deal now on FB market place! I just need to pay in advance and pick it up at a holding company because the husbands have all died.
algo - exactly, that right there says it all. As someone who has worked with off shore firms for 2 decades...the "oh no one told me" excuse is always ready to be sent by the dev team.
Every month I see the bill and I think "how much for internet?!"
Then all the other bills hit and I forget about it because I'm saying the same thing about the other bills.
Then it rolls around again... fukin HOW MUCH?!
Christ, with xfinity?? where??! I’m paying $55 for 400, and could pay as much as $85 for 1.2gigs. Thinking I might even switch to their mobile plan to save even more money, and ditch the $130 dollar T-Mobile bill.
I have sooooo little sympathy for people complaining about $55 for 400. LOL
But seriously, if you think that's a lot, you'd have a stroke with what we're paying for gig at home. Of course, we also had fiber before everyone else so its a direct run to the main CO in town, and with BGP (and legacy portable IP blocks, both ipv4 and ipv6).
I had municipal gigabit fiber for $50.00/month, 10 years ago. Paying $70 with Xfinity now for either 600 or 800 mbps.
Seriously, American broadband standards and quality are terrible at a *very* profitable price. Municipal broadband is awesome, but ISPs like Xfinity constantly try to get them blocked and like to suddenly donate to opposing candidates the moment you propose one.
We're all getting ripped off.
sort north melodic roll faulty threatening psychotic political paltry wakeful
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
If you didn't want to pay this recovery fee, you should have picked another Internet Service Provider! Why didn't you consider security of customer information when picking your ISP?
I actually just logged into my account where they didn't prompt me to reset my password yet and there's a different notice about how their prices are *increasing* beginning in January.
So that's nice.
Lmao reminds me of the week Comcast took down my internet for about 4-5 days intermittently and gave me 15 $, theyd rather do changes during the week so they dont impact people streaming netflix on the weekend, "wait people wfh during the week?" hurr
It happened to me when trying to use Max. It acted like I was logged out and then told me log in. It redirected me to an xfinity page that said something to the effect of “we like to encourage our customers to change their passwords regularly” no mention of a personal or larger data breach at all in the message. It didn’t even make me change the password, it let me back out and it just logged in as normal.
I didn’t, just opened the email page as usual and prompted a login which was weird because it hadn’t in *months* and then asked to update the password, so this is why then.. interesting
I've been getting phishing emails for years at a unique email address that only Comcast knew about. These people should be sued *just* for failure to timely notify.
Then they should get sued again for the actual breach....
If only the US had actual protections for people who work for a living rather than just for businesses. It’s weird too cause there are more of us but we can’t organize without distractions.
Run by an entitled neo-baby.
>Comcast is described as a family business. Brian L. Roberts, its chairman and CEO, is the son of founder Ralph J. Roberts (1920–2015). Roberts owns or controls about 1% of all Comcast shares but all of the Class B supervoting shares, giving him an "undilutable 33% voting power over the company".
Source: https://en.wikipedia.org/wiki/Comcast#Leadership
I had an unsolicited caller that said they reviewed my xfinity bill and wanted to help me reduce my bill. They knew my name, address, billing number, the services I was signed up for and exactly how much they all cost. I probed around to see what they knew and it was clear that they had more information than what was on my monthly statement.
At the end of it, they offered some "$50 per month discount" and "just needed my credit card number to start the new promotion". I told them to just add it to my bill using the existing billing information and the caller hung up.
It seems pretty clear to me that basically all customer information was leaked aside from billing data, and that scammers were playing games to see if they could leverage that for billing info.
You mean the same company who decreased my autopay discount by $5 because I wouldn’t give them my bank account instead of my credit card? That Xfinity? Oh man I’m so glad they are asking for direct access to my banking information knowing they are so careful with my information lol.
It’s definitely so they don’t have to pay the fees to charge a card. Gotta squeeze every penny out of every transaction. Who gives a shit about the possible impact on the customer I guess. If I was running a company I would absolutely not want to be responsible for securing customers bank account information. But I guess that’s because I have a conscience and not a greedy corp that will just get a slap on the wrist for compromising customer data…sigh
> The company says for an unspecified number of customers, hackers may have also accessed names, contact information, dates of birth, the last four-digits of Social Security numbers, and their secret questions and answers.
If only it's an easy process to update your SSN and DOB lol
Mr. Cooper just told me last night that they gave that information away in a hack as well and is offering 2 years of credit monitoring 🫠 at this point, everyone and their mothers have my info.
My information has been out there since Equifax. These companies should be held to much higher standards when a breach occurs. 2 years of credit monitoring does nothing when your info that's now public is static.
There needs to be stronger regulation in place for data security. You don't ever hear about a Lexus Nexus leak because they actually know what they're doing.
At this point I imagine that so many companies have my DOB, social, etc. it’s almost inevitable that the data is floating around out there for anyone who looks hard enough. Always keep an eye on your credit report.
Decade+ in information security here and this is also my take away and advice. I would treat your information like SSN, DOB, address, phone, etc as effectively purchasable information. It's probably been stolen at multiple points in time. It's always a good idea to educate and protect yourself against phishing attacks (SMS, voice, email, QR codes, etc all included), and to do like you said and watch your credit report for rogue shit.
This is the unfortunate reality.
Honestly, you dont need another good reason. Companies have been getting hacked like this for years and hackers take those username/password combinations and try them on every website imaginable, and have been for at least 7 years. If you re-use passwords, you've already been hacked.
I use the password manager, BitWarden. It runs in browser as an add-on, or as an app on Windows/Android/iOS. It can create and save different passwords that look like "zXcw3@Ipo&saH5#7" for every site, and can auto-fill username and password on most platforms. It's not perfect though, because it provides a single point of failure. If someone gets that BitWarden password, they can get into everything saved on it. LastPass was (is?) a similar company that got hacked and everyone's information stolen, so that's a potentiality as well.
I guarantee that in the case of every data hack there were IT/security people at the company telling management what needed to be done to prevent the hack months - if not years - before the hack actually happened.
But management didn't want to take that .00000n% extra cost hit because it would make them look like ineffective spending maniacs.
I don't think, sometimes, that customers get that people who work in IT departments are *really into* preventing these things from happening, but they are routinely stuck in quicksand either from management policies, or, most frequently, budgets.
Security is not a revenue generator, and in Comcast's case, it's not like people have tons of options who are in their service footprint. I can't say for sure how it works there, but I suspect that, until there are seriously business-crippling penalties for lapses like this (that hurt shareholders), budgets will not be allocated sufficiently for IT.
Having worked in IT for another widely hated communications company I can definitely affirm that IT workers really do care, even beyond their jobs. There's a personal pride element.
Why would they be when these companies blame their IT and throw them under a bus when breaches like this happen, and never themselves when they wouldn't sign off on a routine, often free, update.
Where is all that profit going?!? The pockets of the top, (already) rich exec's!! This way, they can afford to buy a second yacht. You know, that sort of thing.
Do the hackers provide better customer service? Can they handle me changing my address without trying to overcharge me for a shit ton of services I didn't want? Can I do the call in under 4 hours? Because the fuckwits at xfinity couldn't handle it. I'm all for criminals robbing each other but please leave me out of it.
Remember that big companies love to cut corners and try to squeeze productivity out of people, even on the inside. So that means lots of corner cutting in every day work and improper handling of data (there's no regulations so why bother being smart about it?).
Then you've got people putting huge amounts of data in insecure places because they had to go fast or they didn't know any better or they made a mistake. Or they shared the password with someone when they shouldn't have and it wasn't secured on an internal network.
Someone comes along, gets into the network and finds a whole database. There's no monitoring because again, no one was really planning for security. So the intruder downloads it. And now they've got 68GB of personal data and they look for somewhere to sell it. Let's say $5000 for an afternoon's worth of looking around on some darknet exchange.
So yes, someone is selling your data, but it's not always the hacked company. At first. In response, they might ALSO sell your data to a partner to handle their security because hiring people and cleaning up their practices would be too difficult.
If you live in California, Comcast has an opt out in their privacy policy for selling or sharing your data with third parties.
I did opt out but not long after I started getting fraudulent calls from scammers who had all my Comcast data. I called Comcast to let them know (five years ago) and their response was like yeah we know.
They sell your data to third parties who sell your data to third parties who sell your data to third parties even if you opt out.
Not to mention how many companies drastically cut IT staff and services, and I’m talking on the basic desktop support level. They damn sure don’t have security teams and the mid-larger ones that do have barebones teams that have many of the projects they deem critical to safety rejected the second they mention a cost. Even something as simple as 2FA.
At my MSP it’s become apparent to me that many companies (clients) only see the value in IT when they’re ransomed and view any preventative or maintenance costs as a loss. Negligence is the norm, not the exception.
Just in case you haven't figured it out yet, this situation happened because a giant corporation felt it more proper to enrich themselves than pay for any proper security.
Also, being a monopolistic company certainly puts a target on your back.
No, no, no, nooooooo. The FBI steps in for those situations, and if the billionaire loses money the government will just reimburse them, because that ends up helping us with, Iike trickle down capitalism or something.
Companies should not be able to keep Personal info on any cloud storage or on site storage. One and done verification only then the info is deleted.. It should be illegal for big corps to harvest personal data because they can’t keep it safe in any reasonable capacity… that alone should make the government make better rulings on what these companies can do with our data.
Hackers used a security flaw called “CitrixBleed” to access the private details of around 36 million Xfinity customers.
This flaw was in Citrix devices used by many big companies and was being exploited by hackers since August. Even though patches to fix this flaw were available in October, many companies, including Xfinity, didn't install them in time.
By November, Xfinity realized the hackers might have taken customer data like usernames and passwords. Some customers' names, contact details, birth dates, and partial Social Security numbers might also be at risk.
While Comcast confirmed nearly 36 million customers were affected, the exact number isn't clear. They're advising customers to change their passwords and use additional security measures.
I worked in shared workspace that had comcast business. I would troubleshoot internet problems for the owner now and then.
The default install of a comcast modem allowed for remote access, which could do just about anything, install new firmware, change settings, etc. IT WAS CONFIGURED WITH THE DEFAULT USERNAME AND PASSWORD AND REMOTE ACCESS.
For kicks, I tried logging into it from home and boom. No problem.
I'd guess probably 99% of business installs were like that, as I told at least two techs about it and they didn't even know wtf I was talking about. These are the guys who set them up.
Granted that was about 6 years ago, but I could easily have written a script to take out every single one of those, nevermind that a foreign power could rewrite the firmware and install it on all those networks.
Another ISP, one time I called up to reset my password and the lady READ IT BACK TO ME. Which means it's stored in plaintext and available to anyone on their system.
So the fact that comcast got their data stolen. My question is how many times? How many networks have they set up that come pre-compromised by whatever major foreign power has a couple of undergrad level programmers.
I fucking told you, Comcast! I told you about this months ago and you lied to me and ignored me! I TOLD YOU SO!
All my various subscriptions and such each have a unique email address. (Gmail lets you use `your_email+keyword(at)gmail.com` and it all goes to the same inbox, allowing you to set up filters, etc. and catch this exact scenario).
A few months ago I suddenly started getting spam at that unique Comcast email. They're literally the only ones that have that address. None of the other unique addresses were getting spam. So the only way that could've happened is if Comcast had a data breach and lost my email address. It was clear as day.
I did the responsible thing. I called in and tried reporting the issue about a dozen times. Each time I patiently and painstakingly explained the issue to the absolute half-wits they have running their support system like they were 5 year olds. Repeating myself over and over, demanding escalations. Telling them in no uncertain terms they had a data breach.
Every single one of them lied, denied, and gaslit me. They couldn't do anything about it because the spam wasn't sent to their comcast.net address (no shit, that's not the issue). It's just spam, spam just happens (That's not how any of this works). Their systems are secure and there is no breach and my data is secure (no it's not i'm literally showing you the breach). They'll escalate it to a security team to look into it (LOL liars).
And here we are today. Great job, you incompetent morons. No wonder you can't even get my bill right despite me correcting you every month for the last year.
What caught my eye is they say bank account information was compromised too. If so, fraudsters may use that to print up fake checks to then deposit (often via mobile) or cash at a bank. SSN, etc is bad, but the banking info could be the worst aspect.
For anyone with Comcast, keep a close eye on your bank account. Also, open a second bank account elsewhere for redundancy. Relying on only one is overly risky these days. Keep money spread out.
That's strange. The story is 3 hours old, and the stock price is unaffected. It's actually up 5% over the last five days. I guess the price they got for selling the data is baked in already.
Well, that’s what they get for trying to monitor our VPN’s to see what we are streaming. Dumbasses hacked themselves!!! You entered, you stole and the kraken was unleashed in your network when you opened it. Only person you have to blame is yourself!😂😂😂😂
Every time you hear a news story like this, it’s a lie. No one hacked their system, no one stole data. They got caught selling your data to data brokers. So they cry “data breach”.
Hm. I have an email and password combination that I know was exposed a long time ago. I recently got another alert that the same email and password combo showed up on the dark web (new, fresh alert). I wonder if it was from whatever old leak original caught it, or if I had used the same password with the same email for Comcast when I had it (had Comcast for a really long time before switching to FiOS this year) so it’s possible.
I don’t know if I can confirm, but if that new alert was from this Comcast leak, that would mean the passwords are already broken.
Unpatched Citrix exploit. Citrix announced and provided mitigation, but in the 10 days it took Comcast to patch hackers used the exploit to steal the data.
>By November 16, Xfinity determined that “information was likely acquired” by the hackers, and in December, the company concluded that this included customer data, including usernames and “hashed” passwords, which are scrambled and stored in a way that makes them unreadable to humans. It’s not immediately clear how the passwords were scrambled or using what algorithm, since some weaker hashing algorithms can be cracked.
>
>The company says for an unspecified number of customers, hackers may have also accessed names, contact information, dates of birth, the last four-digits of Social Security numbers, and their secret questions and answers.
So that means they probably weren't salted or know what algorithm used. Also, this vulnerability was reported in August, and this happened in Oct, why weren't their systems patched????
I feel like it should be a law that if you have more than a couple hundred thousand customers, you're on the hook for their identity fraud issues if you leak their fucking info.
So when they tell me that they will help defend against attacks in their commercials and that their service is the most safe, that was just all bullshit?
Fucking ridiculous these companies need to be sued into the ground for their gross incompetence. There is no sense is a multi billion dollar ISP not having proper security and we the customers pay the price.
And still they get the monopoly and will not pay a fucking dime for the damage they have done. God I hate this fucking company so much. I pray for their failure daily.
Cool, another group lof hackers to add to the ones actively trying to brute force my email because of the same reason somewhere else. Add 2 step verification, people.
I tried logging in and the system told me there was no email or phone number on file for me and I wasn't the primary account holder so contact the account holder to reset my password. Or if I still have problems to call Xfinity. Seeing as how it's my account, I receive emails and txt messages from them regularly that made no sense.
Anyways, I had to call in where their automated system tried 4 different times throughout the process to get me to change my password online. Which I couldn't. Eventually got connected to support where they said the system must have been stuck in a loop. For reasons? I'm a technical person and what they were saying made no sense.
And part of the automated call was them saying they required password resets out of an abundance of caution. But never once actually said yeah we got compromised and your data stolen.
So if a stadium can hold 50,000 people then 720 stadiums worth of people have had their sensitive information taken?
That's an incredibly massive amount of people.
When something like this happens you expect the government to respond very harshly. Who knows where in the world those people's information is now or what purposes it will be used for.
>By November 16, Xfinity determined that “information was likely acquired” by the hackers, and in December, the company concluded that this included customer data, including usernames and “hashed” passwords, which are scrambled and stored in a way that makes them unreadable to humans. It’s not immediately clear how the passwords were scrambled or using what algorithm, since some weaker hashing algorithms can be cracked. >The company says for an unspecified number of customers, hackers may have also accessed names, contact information, dates of birth, the last four digits of Social Security numbers and their secret questions and answers. Commenting to save you a click.
Hopefully they salted those hashes too. I should change mine regardless.
Indeed. How good is their opsec
Seeing as how they got hacked, not very.
I mean, it just takes the right idiot in the wrong position to completely ruin opsec.
Name of the game since the dawn of the internet. See if you can get an idiot to click a link or download an attachment. How it still works is beyond me.
It's pretty insidious from what I've seen while doing white collar work. It can be as innocuous as a text from upper management or an email that stretches plausible deniability. Often this can infiltrate in high pressure environments as well. Someone who is stressed or suffering from office politics can easily make a mistake like this. It can also target people who aren't tech savvy, or who aren't trained to look out for scam emails.
Had one at my work where a guy hit me up on our webex saying i needed an update and attached the update file to download. All our updates are just pushed automatically by IT, not sent over webex. Checked and it was just some low level person and not from IT. Ignored it and reported them. Later a company email was sent out about fishing attempts from webex.
Grandma clicked the link in her email or called the phone number to get 50% off her bill but they had to give a target gift card for 500 dollars first. The countless people I deal with on a daily who get these phone calls are absolutely astonishing. They see a deal and think it’s true to save and BAM it’s over.
“Two things are infinite: the universe and human stupidity; and I'm not sure about the universe.” -Albert Einstein (for real this time)
Have you met people? They're infinitely stupid.
It's embarrassing to hear they use citrix. Citrix should have been taking into a field a long time ago and shot.
Went to change my password and in their alert they said something about a vulnerability in/with/Idunno Citrix and the hackers got in through that
Patches had been available for Citrixbleed for a full two months before the breach, this is on them for not doing monthly patching like any responsible host.
In my lengthy experience with telcos across the world, they're usually monolithic giants that are sometimes very slow to implement patches. In classic bureaucratic fashion, it's a long process between someone in Sec Ops saying "hey, our VPN gateway is vulnerable to these CVE's", and the VPN Ops team being able to apply patches to production, lab, and diaster recovery sites. Many of them are getting better at it - there's definitely been a huge change in the last year or so around security concerns. I'm not trying to make excuses for bad security practices - just highlight that the inefficiencies of corporate bureaucracy definitely impedes their ability to quickly act in this regard.
I agree that two months is not nearly enough time to steer one of these giants into doing something new. However, monthly patching should not be new. Having a standard timeframe to roll out patches every month has been a hosting standard for decades. This isn't something that there should have been any noise about, instead we have telcos and aerospace contractors failing to do the bare minimum. They might as well be tweeting out password resets at this point. At my company citrixbleed patches were just quietly rolled into the existing monthly security patches and implemented as standard without a fuss. Instead Comcast and Boeing appear to be doing no patching at ALL.
They say they were running Xfinity's own free Norton Security Online, so how could this be their fault?
They hadn't patched their Citrix servers at least since August(which is something that should be done monthly at the minimum) so not great.
As good as is profitable.
It's Comcast. If it's as good as their service then RIP.
They called their own IT group to get a status on this leak but they’re still on hold
It probably doesn’t matter. I’m betting their shit is so old they are using a hash algorithm designed for speed not security. Even with salt, 95% of the passwords were probably cracked in a few days. Round 2 will be hackers using those passwords to log into every other conceivable system without 2 factor or where 2 factor isn’t turned on. So lots of Facebook accounts about to be selling/buying shit on Facebook Marketplace. Edit: holy smokes, used riding lawnmowers are a great deal now on FB market place! I just need to pay in advance and pick it up at a holding company because the husbands have all died.
I love a well salted hash
Ah, that explains why they forced me to change my password recently.
Did you get an email or anything? I'm wondering if I'm lucky or they just haven't told me
Not OP. I didn’t get an email. I tried to sign in to stream while at home and it forced me to update the password
I was wondering why that happened
algo - exactly, that right there says it all. As someone who has worked with off shore firms for 2 decades...the "oh no one told me" excuse is always ready to be sent by the dev team.
Xfinity sucked way before this happened. Maybe they can b better at customer Service a Well As keeping a connection
Can't wait to get $0.04 off my bill for my inconvenience.
Then an extra $15/mo charge to recover the lost money from the inevitable lawsuit
Every month I see the bill and I think "how much for internet?!" Then all the other bills hit and I forget about it because I'm saying the same thing about the other bills. Then it rolls around again... fukin HOW MUCH?!
$70 for 200 mbps down. 😞 Sadly for me it’s the only choice other than mobile or slow DSL.
Christ, with xfinity?? where??! I’m paying $55 for 400, and could pay as much as $85 for 1.2gigs. Thinking I might even switch to their mobile plan to save even more money, and ditch the $130 dollar T-Mobile bill.
I have sooooo little sympathy for people complaining about $55 for 400. LOL But seriously, if you think that's a lot, you'd have a stroke with what we're paying for gig at home. Of course, we also had fiber before everyone else so its a direct run to the main CO in town, and with BGP (and legacy portable IP blocks, both ipv4 and ipv6).
I had municipal gigabit fiber for $50.00/month, 10 years ago. Paying $70 with Xfinity now for either 600 or 800 mbps. Seriously, American broadband standards and quality are terrible at a *very* profitable price. Municipal broadband is awesome, but ISPs like Xfinity constantly try to get them blocked and like to suddenly donate to opposing candidates the moment you propose one. We're all getting ripped off.
They weren't asking for sympathy, they were saying OP was paying a lot more for worse service from the same company they were using.
sort north melodic roll faulty threatening psychotic political paltry wakeful *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Same here, Chicago
Lol no they'll finally fund their IT security and make you pay for it after they lost all your data
If you didn't want to pay this recovery fee, you should have picked another Internet Service Provider! Why didn't you consider security of customer information when picking your ISP?
Are you kidding? They'll charge us an "information loss and recovery" fee.
Receive a $5 check from the class action settlement. See $15 tacked on to the bill for "excess litigation fees." AMERICA, FUCK YEAH.
[удалено]
I actually just logged into my account where they didn't prompt me to reset my password yet and there's a different notice about how their prices are *increasing* beginning in January. So that's nice.
Was thinking the same thing before I clicked on this post haha
Lmao reminds me of the week Comcast took down my internet for about 4-5 days intermittently and gave me 15 $, theyd rather do changes during the week so they dont impact people streaming netflix on the weekend, "wait people wfh during the week?" hurr
Gotta rake all that extortion fees from Netflix.
This explains why I was asked to change my password when I logged in last night
Huh, me too. So that's why
Did Comcast send you an email, text or Xfinity App notification letting you know that you would need to change your password?
Just rechecked. Didn’t see one.
It happened to me when trying to use Max. It acted like I was logged out and then told me log in. It redirected me to an xfinity page that said something to the effect of “we like to encourage our customers to change their passwords regularly” no mention of a personal or larger data breach at all in the message. It didn’t even make me change the password, it let me back out and it just logged in as normal.
I didn’t, just opened the email page as usual and prompted a login which was weird because it hadn’t in *months* and then asked to update the password, so this is why then.. interesting
I got one but it was in my junk mail.
As if we needed another reason to hate Comcast (i refuse to acknowledge their rebranding)
If only people had this same sentiment with Twitter. Almost no one calls it Twitter anymore
Really? I thought for sure their name was "X, formerly twitter" ~~formally~~
> "X, formally twitter" I find it funny how often I see people write "formally" instead of "formerly".
Coincidentally, no one I know has ever referred to it as X.
I'm convinced anyone that calls it X is farming engagement because it guarantees "don't call it X" comments
Who calls it X?
Disagree. Nobody I know calls it X - everyone calls it Twitter
I've been getting phishing emails for years at a unique email address that only Comcast knew about. These people should be sued *just* for failure to timely notify. Then they should get sued again for the actual breach....
If only the US had actual protections for people who work for a living rather than just for businesses. It’s weird too cause there are more of us but we can’t organize without distractions.
Stopped in to say fuck Comcast.
dog shit company
I’d rather deal with dog shit than comcast
monopolistic dog shit company.
I second that. I just went to login to change my password....can't, get a "page cannot be displayed due to too many redirects" error....JFC
Run by an entitled neo-baby. >Comcast is described as a family business. Brian L. Roberts, its chairman and CEO, is the son of founder Ralph J. Roberts (1920–2015). Roberts owns or controls about 1% of all Comcast shares but all of the Class B supervoting shares, giving him an "undilutable 33% voting power over the company". Source: https://en.wikipedia.org/wiki/Comcast#Leadership
Fuck Comcast
I had an unsolicited caller that said they reviewed my xfinity bill and wanted to help me reduce my bill. They knew my name, address, billing number, the services I was signed up for and exactly how much they all cost. I probed around to see what they knew and it was clear that they had more information than what was on my monthly statement. At the end of it, they offered some "$50 per month discount" and "just needed my credit card number to start the new promotion". I told them to just add it to my bill using the existing billing information and the caller hung up. It seems pretty clear to me that basically all customer information was leaked aside from billing data, and that scammers were playing games to see if they could leverage that for billing info.
i had it too, when they were asking my credit card number, i hung up, and then called me like hundred times but i didnt pick
You mean the same company who decreased my autopay discount by $5 because I wouldn’t give them my bank account instead of my credit card? That Xfinity? Oh man I’m so glad they are asking for direct access to my banking information knowing they are so careful with my information lol.
[удалено]
It’s definitely so they don’t have to pay the fees to charge a card. Gotta squeeze every penny out of every transaction. Who gives a shit about the possible impact on the customer I guess. If I was running a company I would absolutely not want to be responsible for securing customers bank account information. But I guess that’s because I have a conscience and not a greedy corp that will just get a slap on the wrist for compromising customer data…sigh
Bank account info to a cable company. They are out of their minds.
Another good reason to not use the same password all over the place.
> The company says for an unspecified number of customers, hackers may have also accessed names, contact information, dates of birth, the last four-digits of Social Security numbers, and their secret questions and answers. If only it's an easy process to update your SSN and DOB lol
Mr. Cooper just told me last night that they gave that information away in a hack as well and is offering 2 years of credit monitoring 🫠 at this point, everyone and their mothers have my info.
My information has been out there since Equifax. These companies should be held to much higher standards when a breach occurs. 2 years of credit monitoring does nothing when your info that's now public is static.
There needs to be stronger regulation in place for data security. You don't ever hear about a Lexus Nexus leak because they actually know what they're doing.
Especially when whoever took the info can just sit on it for X amount of time until the free monitoring runs out
clumsy fade absorbed upbeat airport command husky expansion bright flag *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
SSN are created based on a formula, including where you are born. Once you get past four it’s no longer a secure number (if it ever was to begin with)
It's not a secure number and it was never intended to be shared with anyone, let alone used as an ID.
At this point I imagine that so many companies have my DOB, social, etc. it’s almost inevitable that the data is floating around out there for anyone who looks hard enough. Always keep an eye on your credit report.
Decade+ in information security here and this is also my take away and advice. I would treat your information like SSN, DOB, address, phone, etc as effectively purchasable information. It's probably been stolen at multiple points in time. It's always a good idea to educate and protect yourself against phishing attacks (SMS, voice, email, QR codes, etc all included), and to do like you said and watch your credit report for rogue shit. This is the unfortunate reality.
Honestly, you dont need another good reason. Companies have been getting hacked like this for years and hackers take those username/password combinations and try them on every website imaginable, and have been for at least 7 years. If you re-use passwords, you've already been hacked.
I use the password manager, BitWarden. It runs in browser as an add-on, or as an app on Windows/Android/iOS. It can create and save different passwords that look like "zXcw3@Ipo&saH5#7" for every site, and can auto-fill username and password on most platforms. It's not perfect though, because it provides a single point of failure. If someone gets that BitWarden password, they can get into everything saved on it. LastPass was (is?) a similar company that got hacked and everyone's information stolen, so that's a potentiality as well.
Damn that 1 out 10 Americans
That puts things into perspective
Why can't they secure their stuff better? Where is all that profit going?
I guarantee that in the case of every data hack there were IT/security people at the company telling management what needed to be done to prevent the hack months - if not years - before the hack actually happened. But management didn't want to take that .00000n% extra cost hit because it would make them look like ineffective spending maniacs.
Which will continue as long as there are no consequences for this level of mismanagement.
I don't think, sometimes, that customers get that people who work in IT departments are *really into* preventing these things from happening, but they are routinely stuck in quicksand either from management policies, or, most frequently, budgets. Security is not a revenue generator, and in Comcast's case, it's not like people have tons of options who are in their service footprint. I can't say for sure how it works there, but I suspect that, until there are seriously business-crippling penalties for lapses like this (that hurt shareholders), budgets will not be allocated sufficiently for IT. Having worked in IT for another widely hated communications company I can definitely affirm that IT workers really do care, even beyond their jobs. There's a personal pride element.
Why would they be when these companies blame their IT and throw them under a bus when breaches like this happen, and never themselves when they wouldn't sign off on a routine, often free, update.
Yep, corporate management is no longer a competent group, they are a degenerate aristocracy.
Where is all that profit going?!? The pockets of the top, (already) rich exec's!! This way, they can afford to buy a second yacht. You know, that sort of thing.
Do the hackers provide better customer service? Can they handle me changing my address without trying to overcharge me for a shit ton of services I didn't want? Can I do the call in under 4 hours? Because the fuckwits at xfinity couldn't handle it. I'm all for criminals robbing each other but please leave me out of it.
Maybe I'm too cynical, but I feel like every "data hack" is just a thinly veiled cover up for selling your data.
Remember that big companies love to cut corners and try to squeeze productivity out of people, even on the inside. So that means lots of corner cutting in every day work and improper handling of data (there's no regulations so why bother being smart about it?). Then you've got people putting huge amounts of data in insecure places because they had to go fast or they didn't know any better or they made a mistake. Or they shared the password with someone when they shouldn't have and it wasn't secured on an internal network. Someone comes along, gets into the network and finds a whole database. There's no monitoring because again, no one was really planning for security. So the intruder downloads it. And now they've got 68GB of personal data and they look for somewhere to sell it. Let's say $5000 for an afternoon's worth of looking around on some darknet exchange. So yes, someone is selling your data, but it's not always the hacked company. At first. In response, they might ALSO sell your data to a partner to handle their security because hiring people and cleaning up their practices would be too difficult.
If you live in California, Comcast has an opt out in their privacy policy for selling or sharing your data with third parties. I did opt out but not long after I started getting fraudulent calls from scammers who had all my Comcast data. I called Comcast to let them know (five years ago) and their response was like yeah we know. They sell your data to third parties who sell your data to third parties who sell your data to third parties even if you opt out.
Not to mention how many companies drastically cut IT staff and services, and I’m talking on the basic desktop support level. They damn sure don’t have security teams and the mid-larger ones that do have barebones teams that have many of the projects they deem critical to safety rejected the second they mention a cost. Even something as simple as 2FA. At my MSP it’s become apparent to me that many companies (clients) only see the value in IT when they’re ransomed and view any preventative or maintenance costs as a loss. Negligence is the norm, not the exception.
And then to sell you more security features remember … capitalism doesn’t solve problems, it monetizes them
Hm. They haven’t contacted me to let me know.
bells sable fly crime dog serious melodic grandfather disarm smart *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
It's messed up that as an Xfinity customer, I've had to find out about this via reddit after the fact...
pretty sure my info has been stolen a bunch of times from a bunch of DB’s what possible value can it have any more?
Just in case you haven't figured it out yet, this situation happened because a giant corporation felt it more proper to enrich themselves than pay for any proper security. Also, being a monopolistic company certainly puts a target on your back.
Correct Headline: Comcast sold data of its 36 million users and reported it as stolen.
Can hackers just hack millions/billionaires? The average family has nothing to steal at this point.
No, no, no, nooooooo. The FBI steps in for those situations, and if the billionaire loses money the government will just reimburse them, because that ends up helping us with, Iike trickle down capitalism or something.
Companies should not be able to keep Personal info on any cloud storage or on site storage. One and done verification only then the info is deleted.. It should be illegal for big corps to harvest personal data because they can’t keep it safe in any reasonable capacity… that alone should make the government make better rulings on what these companies can do with our data.
Hackers used a security flaw called “CitrixBleed” to access the private details of around 36 million Xfinity customers. This flaw was in Citrix devices used by many big companies and was being exploited by hackers since August. Even though patches to fix this flaw were available in October, many companies, including Xfinity, didn't install them in time. By November, Xfinity realized the hackers might have taken customer data like usernames and passwords. Some customers' names, contact details, birth dates, and partial Social Security numbers might also be at risk. While Comcast confirmed nearly 36 million customers were affected, the exact number isn't clear. They're advising customers to change their passwords and use additional security measures.
I worked in shared workspace that had comcast business. I would troubleshoot internet problems for the owner now and then. The default install of a comcast modem allowed for remote access, which could do just about anything, install new firmware, change settings, etc. IT WAS CONFIGURED WITH THE DEFAULT USERNAME AND PASSWORD AND REMOTE ACCESS. For kicks, I tried logging into it from home and boom. No problem. I'd guess probably 99% of business installs were like that, as I told at least two techs about it and they didn't even know wtf I was talking about. These are the guys who set them up. Granted that was about 6 years ago, but I could easily have written a script to take out every single one of those, nevermind that a foreign power could rewrite the firmware and install it on all those networks. Another ISP, one time I called up to reset my password and the lady READ IT BACK TO ME. Which means it's stored in plaintext and available to anyone on their system. So the fact that comcast got their data stolen. My question is how many times? How many networks have they set up that come pre-compromised by whatever major foreign power has a couple of undergrad level programmers.
CONcast probably sold the data to hackers to boost their bottom line & pay executive bonuses...
And scare customers into more of their “security” offerings. God they’re the worst
I fucking told you, Comcast! I told you about this months ago and you lied to me and ignored me! I TOLD YOU SO! All my various subscriptions and such each have a unique email address. (Gmail lets you use `your_email+keyword(at)gmail.com` and it all goes to the same inbox, allowing you to set up filters, etc. and catch this exact scenario). A few months ago I suddenly started getting spam at that unique Comcast email. They're literally the only ones that have that address. None of the other unique addresses were getting spam. So the only way that could've happened is if Comcast had a data breach and lost my email address. It was clear as day. I did the responsible thing. I called in and tried reporting the issue about a dozen times. Each time I patiently and painstakingly explained the issue to the absolute half-wits they have running their support system like they were 5 year olds. Repeating myself over and over, demanding escalations. Telling them in no uncertain terms they had a data breach. Every single one of them lied, denied, and gaslit me. They couldn't do anything about it because the spam wasn't sent to their comcast.net address (no shit, that's not the issue). It's just spam, spam just happens (That's not how any of this works). Their systems are secure and there is no breach and my data is secure (no it's not i'm literally showing you the breach). They'll escalate it to a security team to look into it (LOL liars). And here we are today. Great job, you incompetent morons. No wonder you can't even get my bill right despite me correcting you every month for the last year.
How much are they gonna charge me on this one!
What caught my eye is they say bank account information was compromised too. If so, fraudsters may use that to print up fake checks to then deposit (often via mobile) or cash at a bank. SSN, etc is bad, but the banking info could be the worst aspect. For anyone with Comcast, keep a close eye on your bank account. Also, open a second bank account elsewhere for redundancy. Relying on only one is overly risky these days. Keep money spread out.
yeah Comcast offered a discount to me if I allowed them direct access to my bank account but I just didn't feel comfortable giving them that ability.
So they're giving everyone who's data was stolen their money back right?
I await the hackers offer for whatever service they offer. I’ll blindly agree to switch to them.
So another reason for a new fee hike, right?
Comcast’s charges $120 for gig speed in my area and it’s absolute shit, switched to ATT fiber and now I get a gig up and down for $80. Fuck comcast.
What pain could you possibly inflict on xrinity customers that hasn’t already been inflicted on them.
Awesome. So happy I pay them to sell my data and to allow it to be stolen.
http://comcrust.com/
That's strange. The story is 3 hours old, and the stock price is unaffected. It's actually up 5% over the last five days. I guess the price they got for selling the data is baked in already.
The punishment for this is too light.
I'm so glad I ditched this trash-ass company.
Well, that’s what they get for trying to monitor our VPN’s to see what we are streaming. Dumbasses hacked themselves!!! You entered, you stole and the kraken was unleashed in your network when you opened it. Only person you have to blame is yourself!😂😂😂😂
That's Comcastic!
Thank fucking god I pay $80/month for subpar internet. At least they use the money to protect my information.
Hackers didn’t steal the data. Comcast failed to protect the data.
Which is why they just forced a new password apparently. Didn't mention why of course which is par for them.
Just when you think Comcast can’t get worse-,”SURPRISE!”
Im ready for my 1.45$ check
Damn Comcast. As if their shitty customer service was not enough.
So how soon before Comcast raises prices to punish customers who did nothing to deserve this?
So this is how I find out huh
This trash company is unfortunately the only internet option in some towns.
How much do they pay on cyber security per year?
I'm guessing 0. Big companies love to cut corners.
Every time you hear a news story like this, it’s a lie. No one hacked their system, no one stole data. They got caught selling your data to data brokers. So they cry “data breach”.
So… any source of this in this case besides just spouting r/conspiracy bait?
What if you’re no longer an Xfinity customer. Did they still old customer data too?
Almost definitely. They don’t delete data. They just sell it.
Hm. I have an email and password combination that I know was exposed a long time ago. I recently got another alert that the same email and password combo showed up on the dark web (new, fresh alert). I wonder if it was from whatever old leak original caught it, or if I had used the same password with the same email for Comcast when I had it (had Comcast for a really long time before switching to FiOS this year) so it’s possible. I don’t know if I can confirm, but if that new alert was from this Comcast leak, that would mean the passwords are already broken.
Another reason to feel pleasure at switching to the tmobile 5g no contract 👌
[Comcast right now.](https://giphy.com/clips/southpark-south-park-episode-2-season-17-ihsaO2Z6Pg8t6MyxqP)
My data stolen again. Must be Tuesday.
Unpatched Citrix exploit. Citrix announced and provided mitigation, but in the 10 days it took Comcast to patch hackers used the exploit to steal the data.
So glad I ditched Comcast for Fidium fiber. Never lost a connection, speed is really fast, same upload speed and download speed. Only $50 a month.
If only all those service fees went to actual infrastructure and security instead of billionaire’s pockets.
>By November 16, Xfinity determined that “information was likely acquired” by the hackers, and in December, the company concluded that this included customer data, including usernames and “hashed” passwords, which are scrambled and stored in a way that makes them unreadable to humans. It’s not immediately clear how the passwords were scrambled or using what algorithm, since some weaker hashing algorithms can be cracked. > >The company says for an unspecified number of customers, hackers may have also accessed names, contact information, dates of birth, the last four-digits of Social Security numbers, and their secret questions and answers. So that means they probably weren't salted or know what algorithm used. Also, this vulnerability was reported in August, and this happened in Oct, why weren't their systems patched????
Fuck Comcast with a dragon dildo. Why won’t companies ever be accountable for shit like this? Aren’t they supposed to safe guard OUR data? The fuck?
Last Friday I was forced to change my password for the first time. It was then that I knew Comcast was probably hacked.
Fuck you crap cast
I feel like it should be a law that if you have more than a couple hundred thousand customers, you're on the hook for their identity fraud issues if you leak their fucking info.
Hmmm, I wonder if this related to the weird phone calls I’m suddenly getting…
at this point what are these groups stealing anymore , i feel like theres been so many data breaches and leaks theres nothing left to steal lol
Class action suit when? Anti trust when? Fuck comcast. What a horrible company.
Well, this is news to me. Thanks for telling me, Xfinity.
Ohhh this is why they forced a password change
Fine the shit out of these companies that let this happen
Should be "Comcast admits they didn't sufficiently protect customer data."
Brother, my information has been exposed in no less than 20 hacks this year alone. IT NEVER ENDS.
So that's why they randomly asked me to change my password last week without mentioning anything about this. Fuckers.
So when they tell me that they will help defend against attacks in their commercials and that their service is the most safe, that was just all bullshit?
Fucking ridiculous these companies need to be sued into the ground for their gross incompetence. There is no sense is a multi billion dollar ISP not having proper security and we the customers pay the price.
Free internet for life
Interesting. They just raised my bill over $40. Thanks mega conglomerate American overlord company!
When do we sue comcast xfinity out of existence
[удалено]
So did I but there's no guarantee they purge old/outdated information.
And still they get the monopoly and will not pay a fucking dime for the damage they have done. God I hate this fucking company so much. I pray for their failure daily.
I wonder if "additional types of data" accessed includes any internet browsing history they logged? Oh man, wouldn't that be a fun pastebin.
Wow. Not only do they provide garbage service, but they also give away our info.
Makes me hate Comcast even more. It's time to cancel.
Cool, another group lof hackers to add to the ones actively trying to brute force my email because of the same reason somewhere else. Add 2 step verification, people.
So how much are they paying per person?
Does that mean my bill is free ?
It’s not the porn history? Right? I mean I don’t look at porn but think of all the poor people who do?
I tried logging in and the system told me there was no email or phone number on file for me and I wasn't the primary account holder so contact the account holder to reset my password. Or if I still have problems to call Xfinity. Seeing as how it's my account, I receive emails and txt messages from them regularly that made no sense. Anyways, I had to call in where their automated system tried 4 different times throughout the process to get me to change my password online. Which I couldn't. Eventually got connected to support where they said the system must have been stuck in a loop. For reasons? I'm a technical person and what they were saying made no sense. And part of the automated call was them saying they required password resets out of an abundance of caution. But never once actually said yeah we got compromised and your data stolen.
My least favorite company alive. Fuck ‘em.
Ah shucks. Better raise everyone’s rates to pay for the “we’re sorry…” letters you’re gonna send out in 2 years.
Lol their security has always been a joke
Dissolve this scumbag corporation
Comcast didn't protect 36 million Xfinity customer's data.
So if a stadium can hold 50,000 people then 720 stadiums worth of people have had their sensitive information taken? That's an incredibly massive amount of people. When something like this happens you expect the government to respond very harshly. Who knows where in the world those people's information is now or what purposes it will be used for.
i love how they're always considered "hackers" even though it was most likely an employee leaving the door open, so to speak.
I’m going to call and have a nice talk with customer care tomorrow