If you're a Comcast customer, you may have dodged a figurative bullet thanks to quick acting by Xfinity's IT team. The Comcast Xfinity login page had a security flaw in it that exposed millions of customers to a data breach, according to Buzzfeed News.
The security lapse was discovered by cybersecurity researcher Ryan Stevenson, who told the publication that 26.5 million people had their personal information exposed.
Buzzfeed said Comcast Xfinity has had at least two other previously unreported vulnerabilities in its online customer portal for high-speed internet. One of them had to do with flaws found in an “in-home authentication” page, which allows payments without customers having to sign in.
In that case, the page would display a partial home address. With just that information, a hacker could find out a customer's home address by locating their IP (Internet Protocol) address on their computer.
It is unclear how long the vulnerabilities were accessible before the company was alerted, but Comcast has reportedly disabled its in-home authentication feature.
Another security faux pas Stevenson found had to do with Comcast's Authorized Dealers sign-up page. The flaw revealed the last four digits of customers' Social Security numbers, according to Buzzfeed.
While just four digits of a person’s Social Security number may not be enough to access their information, a determined criminal who found out someone’s home address could use code-guessing software to exploit that vulnerability.
Comcast said the company patched the security flaws as soon as they found out.
“We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers,” Spokesman David McGuire told BuzzFeed News, “We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.”
The incident is reminiscent of the Equifax data breach, in which hackers broke into a web portal app on the company's site and stole massive amounts of consumer information.
Since that massive hack and even well before it, money expert Clark Howard has recommended a two-pronged approach to protecting yourself from data breaches as best you can. Here’s how to do it:
- Sign up for a CreditKarma.com or Credit Sesame account to get free credit monitoring and be notified when anyone tries to access your personal info. Here's a step-by-step rundown of how to do it.
- Freeze your credit at the three major credit-reporting bureaus. Here's an in-depth guide on how to contact Equifax, TransUnion and Experian to freeze your accounts.
© 2020 Clark.com