Thanks to Neo1980 for posting this in our Back Page News on the forums and Michael Griffith for emailing us.
Feb. 7 — A database with thousands of records detailing potential Comcast Business Communications Internet customers was found exposed on the Web this week by a computer security researcher. Phone numbers, addresses, private customer service comments and monthly billing information belonging to several thousand, mostly corporate users, was exposed. The so-called "leads" database included prospective customers and was protected only by the same username and password "test."
DETAILS FOR ACCESSING the database were posted in an Internet mailing list devoted to computer security issues on Wednesday by researcher Russell Handorf.
Anyone following the trivial instructions found a Web-based "front-end" to a database of leads for Comcast Business Communications — a division of Comcast Telecommunications Inc.
Among the options listed on the site were sales calls by zip code, revenue forecasts, sales pending, top 100 customers and "approved credit memos." One page labeled "maintenance" included options like "add employee" and "run billing," though it was not immediately known if such functions could really be carried out via the Internet page.
Sam Muptalla, vice president of Information Technology for Comcast Business Communications, admitted the database trouble on Thursday, but stressed that the data did not belong to current Comcast customers. Muptalla said he didn"t know how big the database was, and he didn"t yet know why the insecure username and password were selected.
"What happened is someone found the username and password combination to an internal work site," Muptalla said. "Until I investigate what the root cause is I am loathe to speculate about it." He added that the Web site had been shut down Thursday in response to the complaint.
It did not appear that credit card information of bank account information was exposed.
But there did appear to be tens of thousands of records in the database. A search for names that began with the letter "s" returned nearly 4,000 records.
Some of the records included monthly billing amounts and installation fees, suggesting they were actual Comcast customers; but Muptalla said he believed those were estimated amounts entered by sales employees still hoping to land contracts.