Comcast customers wireless routers were leaking router name and passwords

Anyone with a subscriber's account number and street address would receive the Wi-Fi name and password in plaintext on the web via Comcast's Xfinity internet activation service

Comcast NYC UX Team Shoot

This was the latest major security incident recently shutdown at Comcast. “There’s nothing more important than our customers’ security,” a Comcast representative said in a statement. “Within hours of learning of this issue, we shut it down. At no time did this site enable anyone to access customers’ personal usernames and passwords and we have no reason to believe that any account information was accessed. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again."

Here are the details

This issue was first reported to ZDnet by security researchers Karan Saini and Ryan Stevenson. The web app was purposed to assist customers with the initial setup of their internet. The sequence was for customer to submit their data Comcast returns the router credentials while activating the service. The vulnerability that was actually created was that anyone with your account number and just your street address number, would instantly receive your router's SSID and password.


Here is the problem

  1. An already active account can be "activated"

  2. Minimal data is required to activate account and is not verified via email or text

  3. The wireless name and password are sent over the internet in plaintext


Here is the affects of the vulnerability

Hackers might have potentially logged in, renamed the router's network, changed its password, and used the router however they like or simply monitor its traffic. This snafu only affects people who used a router provided by Xfinity/Comcast.

How to fix it

Unfortunately, with a problem this huge, a simple password change won't work. Comcast would have just provided the hacker with the new password. Fortunately, Comcast recently has taken down the service in question. 

Contact us for proper electronics recycling and data destruction.

e-End is a leading NAID AAA Certified provider of secure data destruction of hard drives, electronic storage devices and all non-paper media, with data wipe service, hard drive degaussing service, hard drive shredding service and hard drive incineration. e-End is R2:2013 Certified to recycle a wide range of electronic equipment and devices; including PCs, servers, handheld devices, office equipment and all other electronic products. e-End destroys a wide range of equipment and devices for International Traffic in Arms Regulations (ITAR) compliance and demilitarization.