we need a smart password manager that detects a data breach, immediately changes the password of all the users that were using that website with some integration of changing their data on the backend of that website too. They would need to partner up with literally every damn website on the planet to accomplish this
LastPass had a feature that would change in your password for you. It was just a script that ran in your browser and log-in to the website and submitted the website change password form.
1Password shows compromised accounts and links you out to the site to change the password. It also has reports to show duplicate passwords, weak passwords, and things of that nature.
It’s not completely hands off (and I don’t know that I’d want it to be… there are a few passwords I don’t want it changing without my knowledge), but it’s something.
This is a pretty good idea, but does have an issue with shared passwords.
In most attacks, the data on that site is compromised and changing your password afterwards just prevents further exploitation by others.
What some password manager do is monitor for shared passwords (i.e. using the same password on Site A and Site B). This prevents attackers from cracking the password hash offline and trying the username/email and password in a bunch of different sites.
I received this email from Comcast/Xfinity today. Am I reading this right that the patch was released on 10 October 2023, and Comcast did not act until 23 October?
============
Xfinity Data Security Incident
Notice of Data Security Incident
We are notifying you of a recent data security incident involving your personal information. This notice explains the incident, steps Xfinity has taken to address it, and guidance on what you can do to protect your personal information.
What Happened? On October 10, 2023, one of Xfinity’s software providers, Citrix, announced a vulnerability in one of its products used by Xfinity and thousands of other companies worldwide. At the time Citrix made this announcement, it released a patch to fix the vulnerability. Citrix issued additional mitigation guidance on October 23, 2023. We promptly patched and mitigated our systems.
However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability. We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired.
What Information Was Involved? On December 6, 2023, we concluded that the information included usernames and hashed passwords; for some customers, other information was also included, such as names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers. However, our data analysis is continuing, and we will provide additional notices as appropriate.
What We Are Doing. To protect your account, we have proactively asked you to reset your password. The next time you login to your Xfinity account, you will be prompted to change your password, if you haven’t been asked to do so already.
What You Can Do. We strongly encourage you to enroll in two-factor or multi-factor authentication. While we advise customers not to re-use passwords across multiple accounts, if you do use the same information elsewhere, we recommend that you change the information on those other accounts, as well. You can review the “Additional Information” section below for information on how you can further protect your personal information.
More Information. If you have additional questions, please contact IDX, Xfinity’s incident response provider managing customer notifications and call center support, at 888-799-2560 toll-free, 24 hours a day, 7 days a week. More information is available on the Xfinity website at www.xfinity.com/dataincident.
We know that you trust Xfinity to protect your information, and we can’t emphasize enough how seriously we are taking this matter. We remain committed to continue investing in technology, protocols and experts dedicated to helping to protect your data and keeping you, our customer, safe.
> In response to the breach, Xfinity is urging customers who have used the same password for other websites or apps to change all their passwords immediately.
If the passwords were hashed and salted, why is this recommended? Is this due to brute-force risk?
Possibly, given my experience in InfoSec though, and knowing Xfinity/Comcast's reputation. It probably is all stored in plaintext in a database that was written in 1975 and rather than bother spending the time and money to upgrade management just keeps saying "things are fine this is fine the ALE doesn't justify the upgrade right now" and so the passwords are probably stored in plaintext.
Even if passwords are salted and hashed, easily guessed passwords can still be brute forced (think password123). Even with good password hashing algorithms like PBKDF2 (I have no idea what Comcast was using, but this is what LastPass uses) with a high cost value, this can be attempted for the most common passwords fairly quickly.
This also occurs 'offline', meaning that an attacker doesn't have to attempt to login to the webpage to try to brute force the passwords, it happens all on the attackers machine because they have a copy of the database.
On top of this, lots of people reuse passwords which makes this an attractive target for such attacks.
I work in InfoSec and the problem at this point is I have to assume my data has already been stolen, it seems like every month there is another major company that reports about losing the data of a several million customers. The problem is that there have now been so many breaches and data losses that there is nothing I can do as a customer that matters. It doesn't matter if I have a secure password, because someone else is going to store it in plaintext and when it gets leaked that password is no good. I can try using a different password for every website, but that doesn't mean much when it turns out the password reset flow has weak authentication and allows any hacker to reset it.
At this point I'm thinking of scrubbing my online presence of everything and creating an entirely fake person online that does all my online stuff. But then when I've tried to do that I've run into unending blocks of companies trying to block people specifically from what I want to do. e.g. You want to sign up for a service while you have to provide a phone number, nope it has to be a real phone number not a VoIP number. You want to sign up for this site? You're not allowed to over a VPN connection.
It seems like at this point were at a place were in order to use the internet you have to trust the companies with a bunch of your data and information to prove that you are a real person, whilst at the same time knowing that they can't be trusted and that they will sooner or later be compromised and lose your data.
It's a lose-lose for those of us who actually want to use the internet safety and there really needs to be some teeth when these kind of breaches happen.
I’ve come to the realization that the only thing I can do is limit the number of things I sign up for. At least then there are fewer breaches that impact me, and managing them doesn’t become a burden.
However, with something like 25 years on the internet, that is easier said than done. I have a lot of legacy accounts at this point, and the solutions I’d use today didn’t exist 25 years ago. Some places let account be deleted, others do not. Sony for example, will not let me delete one of my PSN accounts (I have two for some reason). Seeing as they’ve been hacked multiple times I find this unacceptable. Even when a company does allow it, I have no way of knowing if they delete my data or simply set a flag on my account in their DB to mark it inactive.
I really wish there was a way to push the reset button on my online life. Knowing what I know now, I’d do things much differently. It all basically bowls down to RMS being right.
>Even when a company does allow it, I have no way of knowing if they delete my data or simply set a flag on my account in their DB to mark it inactive.
Having work at comcast at the highest levels (as a programmer at least), I can tell you it's a dumpster fire over there for security. I've had to get new apps approved by security at Comcast and I'd tell them that I knew they weren't testing known holes and they were like "Well... We're just required to run this pen testing software and that's it".
Uhh okay... Now comcast is a massive company with so many divisions and remnants of many merged companies but I worked at the main office and the stuff that would happen there was a comedy of errors.
I once had someone pretty high up (reported to the C Level) tell me to add a feature to our software that was just completely insecure. I told the guy this was real dangerous idea. He said do it anyway.
I was on an email chain with the head of the legal department. I responded there that I was going to do it but they should be aware that it's going to open up the company to litigation and since they were now aware of it, it could be a big problem.
Head of legal stepped in and squashed the idea. But that's the level of stupidity we are dealing with.
17 comments
[ 1741 ms ] story [ 1265 ms ] threadIt’s not completely hands off (and I don’t know that I’d want it to be… there are a few passwords I don’t want it changing without my knowledge), but it’s something.
In most attacks, the data on that site is compromised and changing your password afterwards just prevents further exploitation by others.
What some password manager do is monitor for shared passwords (i.e. using the same password on Site A and Site B). This prevents attackers from cracking the password hash offline and trying the username/email and password in a bunch of different sites.
I think the full use case you describe is better suited for a passkey manager, since passkeys are marching generated already.
============
Xfinity Data Security Incident
Notice of Data Security Incident
We are notifying you of a recent data security incident involving your personal information. This notice explains the incident, steps Xfinity has taken to address it, and guidance on what you can do to protect your personal information.
What Happened? On October 10, 2023, one of Xfinity’s software providers, Citrix, announced a vulnerability in one of its products used by Xfinity and thousands of other companies worldwide. At the time Citrix made this announcement, it released a patch to fix the vulnerability. Citrix issued additional mitigation guidance on October 23, 2023. We promptly patched and mitigated our systems.
However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability. We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired.
What Information Was Involved? On December 6, 2023, we concluded that the information included usernames and hashed passwords; for some customers, other information was also included, such as names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers. However, our data analysis is continuing, and we will provide additional notices as appropriate.
What We Are Doing. To protect your account, we have proactively asked you to reset your password. The next time you login to your Xfinity account, you will be prompted to change your password, if you haven’t been asked to do so already.
What You Can Do. We strongly encourage you to enroll in two-factor or multi-factor authentication. While we advise customers not to re-use passwords across multiple accounts, if you do use the same information elsewhere, we recommend that you change the information on those other accounts, as well. You can review the “Additional Information” section below for information on how you can further protect your personal information.
More Information. If you have additional questions, please contact IDX, Xfinity’s incident response provider managing customer notifications and call center support, at 888-799-2560 toll-free, 24 hours a day, 7 days a week. More information is available on the Xfinity website at www.xfinity.com/dataincident.
We know that you trust Xfinity to protect your information, and we can’t emphasize enough how seriously we are taking this matter. We remain committed to continue investing in technology, protocols and experts dedicated to helping to protect your data and keeping you, our customer, safe.
Sincerely,
Xfinity
If the passwords were hashed and salted, why is this recommended? Is this due to brute-force risk?
This also occurs 'offline', meaning that an attacker doesn't have to attempt to login to the webpage to try to brute force the passwords, it happens all on the attackers machine because they have a copy of the database.
On top of this, lots of people reuse passwords which makes this an attractive target for such attacks.
At this point I'm thinking of scrubbing my online presence of everything and creating an entirely fake person online that does all my online stuff. But then when I've tried to do that I've run into unending blocks of companies trying to block people specifically from what I want to do. e.g. You want to sign up for a service while you have to provide a phone number, nope it has to be a real phone number not a VoIP number. You want to sign up for this site? You're not allowed to over a VPN connection.
It seems like at this point were at a place were in order to use the internet you have to trust the companies with a bunch of your data and information to prove that you are a real person, whilst at the same time knowing that they can't be trusted and that they will sooner or later be compromised and lose your data.
It's a lose-lose for those of us who actually want to use the internet safety and there really needs to be some teeth when these kind of breaches happen.
However, with something like 25 years on the internet, that is easier said than done. I have a lot of legacy accounts at this point, and the solutions I’d use today didn’t exist 25 years ago. Some places let account be deleted, others do not. Sony for example, will not let me delete one of my PSN accounts (I have two for some reason). Seeing as they’ve been hacked multiple times I find this unacceptable. Even when a company does allow it, I have no way of knowing if they delete my data or simply set a flag on my account in their DB to mark it inactive.
I really wish there was a way to push the reset button on my online life. Knowing what I know now, I’d do things much differently. It all basically bowls down to RMS being right.
If you're in the Eu, file a gdpr request.
Uhh okay... Now comcast is a massive company with so many divisions and remnants of many merged companies but I worked at the main office and the stuff that would happen there was a comedy of errors.
I once had someone pretty high up (reported to the C Level) tell me to add a feature to our software that was just completely insecure. I told the guy this was real dangerous idea. He said do it anyway.
I was on an email chain with the head of the legal department. I responded there that I was going to do it but they should be aware that it's going to open up the company to litigation and since they were now aware of it, it could be a big problem.
Head of legal stepped in and squashed the idea. But that's the level of stupidity we are dealing with.