Cyber Incident Victim: Comcast
Date:
Dec 2013
Location:
United States of America
Summary
A hacker claimed to compromise a telecommunications company's Zimbra mail server using a directory traversal vulnerability, allegedly obtaining 590,000 customer accounts with cleartext passwords from a total of 800,000 credentials. The company reset 200,000 passwords after the data appeared for sale on an underground marketplace, disputing the breach's occurrence and suggesting alternative sources like phishing or third-party compromises. Security experts criticized the organization's storage of passwords in unencrypted form.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In December 2013, a hacker using the alias Orion exploited a directory traversal vulnerability (CVE-2013-7091) in Comcast’s Zimbra mail server, which operated under the domain *****.comcast.net. Orion claimed this breach yielded 800,000 Comcast credentials, 590,000 of which contained cleartext passwords. He contrasted his haul with that of the hacking group NullCrew, which reportedly obtained only 27,000 email addresses without passwords during the same period. The stolen credentials remained undisclosed until November 2015, when Orion attempted to sell 200,000 valid Comcast usernames and passwords on the Python Market dark web marketplace for $1,000. Comcast confirmed approximately one-third of the 590,000 credentials listed for sale were accurate and reset passwords for 200,000 affected customer accounts upon discovering the listing. The company publicly stated it had "no evidence" of the alleged 2013 breach involving the Zimbra vulnerability, instead suggesting the data may have originated from phishing campaigns, malware infections, or third-party breaches unrelated to its infrastructure.
The incident drew attention to Comcast’s storage of passwords in cleartext, a practice widely criticized in security communities, as evidenced by discussions on Reddit following the disclosure. Orion explicitly asserted the compromised passwords were stored unencrypted, contradicting standard security protocols that mandate hashing or encryption of credentials. While Comcast did not confirm the breach methodology or the cleartext storage claim, its password resets targeted accounts linked to the credentials offered for sale. The attacker’s narrative highlighted the exploitation of a known Zimbra vulnerability patched in late 2013, though Comcast’s public response did not acknowledge this specific attack vector. The exposure of customer credentials created risks of unauthorized account access, though the full scope of misuse remains undocumented in available sources. Comcast’s remediation focused on credential resets without disclosing additional technical or operational changes.