Comcast Xfinity, the cable company, exposed partial home addresses and Social Security numbers of millions of customers, reported BuzzFeed News.
Citing Ryan Stevenson, a security researcher who found the security vulnerabilities, BuzzFeed reported that the data of more than 26.5 million customers was exposed. According to the report, two other security holes that weren’t reported in its online customer portal enabled even less sophisticated hackers to get access to the personal data. BuzzFeed reported that Comcast patched the holes.
“We quickly investigated these issues, and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers,” noted the report. “We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.”
The company hasn’t detected any resulting nefarious actions, but said it will continue to investigate the issue.
According to the report, one of the vulnerabilities was in the in-home authentication page, where Comcast customers pay bills online without having to sign on. Customers are asked to verify their accounts by choosing from four partial addresses. If a hacker is able to get the IP address of the customer and gets in, they can figure out the customers’ location.
This isn’t the first time Comcast has been in the news because of data breaches or leaks. In May, Stevenson – along with researcher Karan Saini – found a flaw in Comcast’s website used for the activation of Xfinity routers, which could be exploited to harvest sensitive consumer information.
According to reports at the time, the purpose of the site is to make it easy for customers to set up their home internet without a customer service call. It’s a useful service, except for the fact that it can apparently be tricked into displaying the home address of wherever the router happens to be. The site can also be forced to cough up a user’s Wi-Fi name and password.