Comcast web mail servers hacked, all users at risk

Hacking group NullCrew FTS declared today that it had exploited a security flaw in Comcast’s Zimbra webmail server. It’s believed that the group used what is known as a LFI exploit or local file inclusion vulnerability to obtain usernames and passwords of Comcast ISP users.

The hacking group claims it used this exploit to gain access to the Zimbra LDAP and MySQL database which house the user accounts and passwords. The group posted earlier on pastebin.com a list of what they gained access to, but with no usernames or passwords listed. The posting has since been removed by pastebin.

Every Comcast ISP user has a master account, which is accessible through their Zimbra webmail site. This account can be used to access your payment information, e-mail settings, user account creation and services you purchase from Comcast. Even if you do not use their mail service, you still will have a master account. It is strongly recommended that, if you are a Comcast user, you change your password as soon as possible. 

Comcast performed out-of-schedule maintenance on their mail servers last night, hopefully to fix this exploit. No more information is available at this time on what maintenance was performed.

Source: ZDNet

Report a problem with article
Previous Story

Steve Wozniak thinks Apple should make Android phones

Next Story

'Google Barge' must go, say authorities in San Francisco

24 Comments

Commenting is disabled on this article.

Changing my password... not that there was anything critical in my email on Comcast's servers.

Only old people who don't know any better use their ISP as their email service.

There's 0 indication that the hack compromised user account info, that any LDAP or MySQL db was accessed, or that Comcast did any kind of maintenance.

Did you just make this up, or do you actually have sources?

buhrsnam said,
There's 0 indication that the hack compromised user account info, that any LDAP or MySQL db was accessed, or that Comcast did any kind of maintenance.

Did you just make this up, or do you actually have sources?

Did you read the source article? or any of the many other articles out there now including one at dslreports.com that reference this? also the original text on pastebin listed out a lot of information that sites aren't publishing, including LDAP and MySQL information on Comcast's network. There is still at least as of earlier today, a cache of the document on google's cache of the pastebin site they referenced

Yeah - I read them. And I read the paste. They all say the same thing - the attackers got passwords for things, but that doesn't mean they can hit them.

If you guys want to hear something funny, call comcast and ask them!!

LMAO

I was just told "its a matter of fact that is impossible sir!"

I laughed at him, idiot just reading a script...

I'd rather someone screw with my account so I can get a reason to raise hell and get some free months off my service.

If essentially all account creds were swiped why is this not bigger news? Why is Comcast more or less silent and not in "everyone please change your password" mini-crisis mode?

This issue was identified recently and a patch had been released. Zimbra had contacted all their customers to update to the latest version. Looks like Comcast were a little lazy and got pwned.

In any other engineering field product with fault of such proportions would (have to) be recalled at the expense of the manufacturer. Software, on the other hand... patch upon patch upon patched patch at the expense of its users every single time.

Ever done a recent install of Windows recently? The patches are in the gigabytes. The entire Zimbra installer is only a couple of 100 megabytes.

1) No, they aren't.

2) At any rate, Windows is much larger in scope. Leave Windows out of this; I suspect an anti-Windows agenda here already.

3) Is there actually a point to your statement? Preferably one that relates to what I've said.

Amount of negligence/mistakes/errors tolerated in software slapping together (because engineering it isn't, not anymore) is much higher than it is in designing of hardware, material commodities and mechanisms. Yet software, I'd argue, has much higher impact - it controls the hardware, it creates hardware, it controls our lives.

How about coders and all their ilk start taking responsibility for every single miscoded statement that leads to loss of data and money at such megascale proportions? Finally do away with the "as is" clause of the ultimate disavowal?

90% of all leet coders would show themselves to door tomorrow.

Lastpass / Roboform FTW. Unique passwords for everything!

I tried to help a customer of mine who forget just about every password for every website she signed up for. I set her up for Roboform and then 6 months later she called me telling me she forgot her master password for Roboform after I told her write this down and put it in a safe place you do NOT want to forget or loose this password. *face palm*.

Then again maybe she found were she wrote it down at... apparently she didn't use it enough to remember it.

warwagon said,
Lastpass / Roboform FTW. Unique passwords for everything!

I tried to help a customer of mine who forget just about every password for every website she signed up for. I set her up for Roboform and then 6 months later she called me telling me she forgot her master password for Roboform after I told her write this down and put it in a safe place you do NOT want to forget or loose this password. *face palm*.

Then again maybe she found were she wrote it down at... apparently she didn't use it enough to remember it.

They normally end up writing it on a piece of paper and scotch-taping it on the side of their LCD screen. Now, that's safe keeping!

Farchord said,

They normally end up writing it on a piece of paper and scotch-taping it on the side of their LCD screen. Now, that's safe keeping!

There's nothing wrong with that. I keep my passwords in an address book in my drawer at home. If someone steals them I have bigger problems than passwords: someone's been in my house!

In a business environment, yeah that's really bad security.

Well, pending that this is really true then the main comcast account password is also compromised as they are linked.

Just changed mine so hopefully this won't be an issue.