If you’re a Comcast broadband customer, you may want to change your password.
A group calling itself NullCrew FTS last week hacked into some 34 of the company’s mail servers using a previously discovered vulnerability, potentially exposing subscribers’ personal information, including their user names and passwords. The hacker collective posted evidence of the attack online and crowed about it on Twitter.
Comcast has come under criticism for its response to the attack. NullCrew warned Comcast of the vulnerability before publishing details of its attack. A Comcast representative on Twitter apparently didn’t know how to respond to the warning. What’s more, despite indications that the vulnerability could have allowed malicious hackers to access personal information stored on the servers, Comcast so far has minimized the importance of the attack and has apparently not warned users that their information may be at risk. To the contrary, in one of its few comments on the attack, the company essentially said that customers shouldn’t worry about it, telling trade publication Multichannel News that “there is no evidence to suggest any any personal customer information was obtained in this incident.”
The broadband giant’s mail servers run software from Zimbra, a developer of business applications. The hack exploited a vulnerability in Zimbra’s open source mail server software that was first reported in December. The vulnerability is known as a local file inclusion (LFI) and allows hackers to upload a file to the server that could used to expose sensitive information.
Update: Comcast sent me the same statement they gave to Multichannel News: “We take our customers’ privacy and security very seriously. We have aggressively investigated this incident and have found no evidence to suggest any customer information was obtained.”
In a phone interview, company spokesman Charlie Douglas said the company has in place “multiple layers of security.” He didn’t say this, but I believe what he was implying was that even if NullCrew were able to exploit the Zimbra vulnerability, the company had other security measures in place to protect user information and passwords. Douglas added that the company has since patched the vulnerability that NullCrew exploited.