For the second time in as many months, Comcast fixes data leak on its Xfinity website, report says

This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.

For the second time in as many months, Comcast has been forced to fix another data leak on its website, according to a report on the business technology news website ZDNet.

The little-known page on Comcast’s Xfinity website was exposing customers’ account information to anyone, or any app, on a customer’s network, according to ZDNet, which says it reported on the story after receiving an anonymous tip from a security researcher.

“An API used by Comcast could be tricked into returning customer data, including account numbers, a customer’s home address (which can be used to pinpoint a person’s location), account type, and any services enabled on the line, including if a home security setup is active,” the ZDNet report says.

The API was used to help Xfinity customers find stores and get account information, ZDNet said. Because the API only returns data when it recognizes the customer’s IP address, accessing the customer data requires someone to already be on a customer’s network, ZDNet said. But the tipster told ZDNet that anyone connected to the customer’s Wi-Fi network — including apps — could obtain the same customer account information without their permission.

Comcast shut down the API after ZDNet contacted the company Friday, the report says.

“There’s nothing more important than our customers’ privacy and security,” a Comcast spokesperson told ZDNet. “As soon as we became aware of this situation, our engineers turned the feature off, which could only be accessed within a customer’s home or while logged into the customer’s Wi-Fi network.”

“We have no reason to believe that anyone’s account information was improperly taken or used,” said the spokesperson, citing no evidence.

Last month, ZDNEt reported that anyone with an Xfinity customer’s account number and their home or apartment number could obtain a customer’s full address and Wi-Fi name and password, which could allow an attacker to use the information to access the Wi-Fi network within its range.

Notice: you are using an outdated browser. Microsoft does not recommend using IE as your default browser. Some features on this website, like video and images, might not work properly. For the best experience, please upgrade your browser.