Comcast said it was not hacked and that its systems and apps were not compromised. The company blamed the incident instead on unsuspecting customers who may have visited malware-laden sites or fallen victim to other schemes that allowed hackers to obtain their data.
To prove the list was legitimate, the seller on the Dark Web site exposed the information of a few dozen customer accounts, and offered to sell 100,000 of them for $300.
As many as 590,000 accounts were put up for sale for $1,000. But only a third of the entries were actually up-to-date and therefore at risk, Comcast said. The others appear to be old or fake information.
“We’re taking this seriously and we’re working to get this fixed for those customers who may have been impacted,” said a company spokesperson, “but the vast majority of information out there was invalid.”
The company said it will not offer credit monitoring to affected customers because Comcast itself was not hacked.
Selling personal information on the Dark Web is a burgeoning business. In a report last month, McAfee labs said the price for stolen credit and debit cards usually goes for $4 to $30 in the United States while bank login credentials can go for $190.
“Like any unregulated, efficient economy, the cybercrime ecosystem has quickly evolved to deliver many tools and services to anyone aspiring to criminal behavior,” said Raj Samani, a chief technology officer for Internet Security, which runs McAfee Labs. “This ‘cybercrime-as-a-service’ marketplace has been a primary driver for the explosion in the size, frequency, and severity of cyber attacks. The same can be said for the proliferation of business models established to sell stolen data and make cybercrime pay.”