Comcast said on Monday it was forcing 200,000 customers to reset their passwords and information after the company discovered its information was being sold online by black market brokers.
The force-reset of the stolen accounts info, which did not come from a breach in Comcast’s network but from past, shared hacks of of other companies, shows how commodified stolen data has become.
The Comcast customers’ email addresses and the passwords associated with those email addresses were offered for sale on the dark web over the weekend.
The dark web consists of networks not available via the public Internet which can only be accessed through specific software. They are often used for the buying and selling of contraband goods and services.
The names were being sold as a list of 590,000 email-password combos the unnamed seller claimed belonged to Comcast customers, security website CSO reported.
The asking price for the full list was $1,000, though the seller also offered 100,000 for $300.
Comcast became aware of the sale and, when it checked, found that only 33% of the full 590,000 combos were real, the company said Monday.
To protect those customers, Comcast locked down their accounts, which meant the customers had to go in and verify their identity and reset their passwords.
Not the result of a breach
What’s interesting about the list of customer account information is that it did not come from a breach of Comcast’s network.
Instead, the list appears to have been compiled from previously stolen information available on the dark web and simply aggregated to include only purported Comcast customers.
“There’s no evidence that this is a breach, but we are working with the customers who were impacted to secure their account,” said Comcast spokeswoman Jenni Moyer.
The Philadelphia, Pa.-based company has about 28 million customers, so 200,000 is modest as a portion. Still, it shows how readily online thieves slice and dice data, selling it like bushels of corn via online markets.
Online streaming accounts and cable TV-branded streaming services are routinely sold on the dark web, according to The Hidden Data Economy report, released last month by Intel Security Group’s McAfee Labs.
With log in information, it’s possible to purchase items with stored credit card information and of course watch TV and other video.
The ID and password combinations would not have allowed access to the legitimate owners’ credit card information.
However because so many people re-use passwords, having email and password combinations could be useful to someone attempting to break into more high value targets such as bank and credit card accounts.