Tue. Jul 14th, 2020

Comcast Xfinity data breach: 26.5 million user personal information leaked

2 min read

Recently, Ryan Stevenson, a security researcher reveals that Comcast Xfinity inadvertently exposed home addresses and social security numbers of more than 26.5 million users. Two previously unreported vulnerabilities were found on the online customer portal affiliated with the nation’s second-largest Internet service provider, this makes it easy for even hackers who don’t have much expertise to access this sensitive information.

After BuzzFeed News reported the findings to Comcast, the company fixed the vulnerability; spokesperson David McGuire tells BuzzFeed News: “We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.”

According to Stevenson, one of the vulnerabilities could be exploited by accessing the “in-home authentication.” Through this page, users can pay their bills without logging in with their username and password. The Comcast Xfinity portal authenticates users by asking questions, it lists four home address options, and the user needs to choose the right option.

After learning about this vulnerability, Comcast disabled this authentication method. Now, users need to enter their personal information to complete the authentication manually.

Using the second vulnerability discovered by Stevenson, the last four digits of the user’s social security number can be obtained through the registration page of the Comcast Xfinity portal. With a single user’s billing address, hackers can brute force (simply, repeatedly trying a random four-digit combination until the correct combination is guessed) the last four digits of the user’s social security number. Since the registration page does not limit the number of attempts, the hacker can fully automate the program and guess the correct combination of numbers.

In the United States, social security numbers have become the actual national identification number in recent years and are extremely important to citizens of the country. Because many companies, including credit card companies and Internet service providers, choose to use the last four digits of a social security number to authenticate users by phone or online. The hacker can use the last four digits of the stolen social security number to deceive the customer service of these companies to gain access to the user’s online account, thereby obtaining more personal information about the user.