Thursday, 26 November 2015

Comcast Breach by the Numbers

As was reported over the past few weeks, about 600,000 usernames and passwords for Comcast users were available for sale. I have come across the data since then and have decided to reveal some stats.

In the dump there were the following:
  • A CSV of e-mail addresses, customer names, and associated physical addresses (comcast_27k_emails_with_full_house_addresses.txt)
  • A CSV of usernames and passwords in plaintext (comcast_590K_users_with_plain_text_passwords.txt)
  • A SQL dump of a table containing account IDs, GUIDs, aforementioned usernames, account statuses, and passwords (comcast_vanity.sql)
Additionally, a text file containing the following:
hacked by orion, sold on Python Market 
software vuln allowed access to mail servers which contained user emails and plain text passwords lol, enjoy. Do not leak out this link or else i will....do fucking nothing. 
[...]
Update Monday November 9,2015: Comast is full of shit.txt
Total usercount (with passwords):  590,298
comcast claims to have reset all affected accounts..and yet many of them still work just fine, LOL!
[...]
yup this was totally from phishing, comcast boxes were totally never breached!

I haven't put these into Canary yet but I have gone through the data for those who wish to know how affected people were. I also believe that based on the contents that something belonging to Comcast (or a third-party) was indeed breached contrary to their official statement.

For the record, I did not purchase the data.

The Numbers

I tweeted this a few days ago, but here are the raw numbers:
  • 590,298 usernames/e-mail addresses and passwords were included in this breach
    • 413,964 unique passwords were found within the list
    • 296,907 of those passwords appear in rockyou.txt
  • 27,262 e-mail addresses, individuals' names, and physical addresses were exposed
  • 889,627 records were listed in the SQL dump

What's in the SQL dump?


Interestingly, the SQL table has the following columns:

  • account_id
  • guid
  • vanityName
  • enabled
  • suspended
  • migration_status
  • migrated
  • migration_password
When you see that Comcast is denying that they suffered a breach and then the attacker claiming that they breached a mail server, you have to wonder what the truth is here when you see a SQL database including details like account IDs, something about migration (to another system maybe?), and the status of the account. There's allegations that this data may have came from a third-party, so perhaps there is some truth in all of this for Comcast, but what was the actual source?

I was curious how many actual customers were affected by this breach so I did two things: I looked for how many accounts were marked as "enabled" and then how many were marked as "suspended", plus a few extra things to see what was going on. 

Here's how it all broke down:

  • Of the 889,627 accounts listed in the dump, 851,093 accounts were marked as "enabled"
    • Only 7 of those accounts were marked as "suspended"
  • 889,555 of all accounts have been marked as "migrated"
  • The passwords in the password file matches the number of entries in this database where the passwords were not marked as null (590,298)
The numbers here makes it quite clear that Comcast or a third-party with access to the data suffered a breach.

Where are people affected the most?


In the 27,262 customer addresses and e-mails exposed, 5,994 unique ZIP codes were represented--there are about 43,000 across the whole United States. These were the top-ten ZIP codes that had customers affected:
  1. 80202 - Denver, CO (58 customers)
  2. 55303 - Anoka, MN (57 customers)
  3. 15601 - Greensburg, PA (54 customers)
  4. 37214 - Nashville, TN (52 customers)
  5. 17331 - Hanover, PA (47 customers)
  6. 26003 - Wheeling, NV (45 customers)
  7. 15301 and 46350 - Washington, PA and La Porte, IN (44 customers)
  8. 19464 and 21014 - Pottstown, PA and Bel Air, MD (42 customers)
  9. 77702 - Beaumont, TX (40 customers)
  10. 02703 and 17701 - Attleboro, MA and Williamsport, PA (37 customers)

Of those 27,262 customers, 3,256 of them had their passwords exposed in the password list--assuming that their e-mail addresses' local-parts can be correlated to the "vanityName" field.


I have created a map that will let you see who's affected. There are some weird quirks due to problems with ZIP codes not matching up with their respective cities, so keep that in mind.

Closing


As stated already, Comcast or a third-party was breached and this data was exposed. Comcast owes an explanation to its customers.

I'll be placing the e-mail addresses on Canary as soon as possible. 

No comments:

Post a Comment