May 22, 2018
A bug in a Comcast website used to activate routers for home internet and cable service reportedly displayed the home address of routers, as well as Wi-Fi account names and passwords.
Researchers found that hackers would only need an account ID and the house or apartment number to gain access to personal networks on this website. The web form asks for a full address, but it’s not necessary to input.
Comcast confirmed the hole in their security, and in a statement, the company said "within hours of learning of this issue, we shut it down."
Now, customers must input an Xfinity username and password or a mobile phone number to activate a router.
Before Comcast knew of the bug, attackers could have simply stolen a piece of mail with a house address or even just guessed a house number on a block for access to personal networks, ZDNet reported.
The bug was revealing Wi-Fi password and account information — even if the router had already been activated.
And attackers could have changed Wi-Fi names and passwords to lock out owners, too.
Researchers don’t believe the bug allowed attackers to access router settings, but once on the network, an attacker could have looked at unencrypted traffic from other users on the network, ZDNet reported.
In a statement, a Comcast spokesperson told CNET that at this time, the company has no reason to believe any customer account information was accessed.
"We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn't happen again," the statement reads.