Roughly 200,000 Comcast email users got an unpleasant surprise this weekend, as the company responded to a database of customer information offered for sale on a dark web marketplace. As reported by Steve Ragan at CSO, the database included 590,000 accounts, including password information, available for $1,000. Unfortunately for whoever bought the package, the vast majority of the accounts were inactive, and only 200,000 accounts from the list appeared to be at risk from the attack. Once notified of the breach, Comcast reset the accounts in question.
It's still unclear where the passwords came from, and Comcast denied that any of its systems or apps had been compromised in connection with the breach. Given the poor quality of the data itself, it seems likely that the data comes from a third-party organization or is old enough to have been overlooked in Comcast's search. In September, Comcast settled a privacy breach lawsuit with California for $33 million after failing to honor a privacy setting, but the breach in question did not expose any passwords to the public.