RCN, one of the largest internet and cable service providers in the US, admitted today on Twitter that it stores users’ passwords in cleartext, passwords to which its customer support employees have access at any time during technical support requests.
An RCN spokesperson said that “[customer support] agents need to see this password to verify account ownership when certain changes are requested.”
This revelation came to be after a user who goes on Twitter as Lomgrim called RCN support over the weekend. Prior to calling, Lomgrim says he used KeePass –a password manager application– to generate a random 26-character-long password for his RCN account.
He claims that the RCN employee handling his call was able to view and then read this password back to him without verifying that he was speaking to the actual account owner.
Speaking to ZDNet, Lomgrim pointed this reporter to a Reddit thread he opened over the weekend, where he vented on the matter.
“Their rep without any validation was able to see my password that I had just set online, 5 minutes earlier, in plaintext and then straight up READ IT BACK TO ME, OVER THE PHONE asking ‘the password looks very long and odd, are you sure this is what you want?’,” Lomgrim said.
But while Lomgrim confirmed this was the first time it happened to him, other users commenting on the same Reddit threat claimed to have experienced the same issue in the past.
“I just talked to a customer service rep and they told me the same thing. They didn’t seem to understand why it might be a problem,” a Reddit user said.
The problem that RCN employees didn’t appear to understand, as the user put it, is that by not verifying the identity of callers before giving out a password this can lead to serious privacy breaches.
For example, stalkers could find a new way to intrude on the privacy of their victims, while scammers and fraudsters can exploit this issue to gain access to a treasure trove of personally identifiable and financial information.
According to Lomgrim, this can lead to some serious issues, as the RCN account, just like any other account at most US-based ISPS, stores quite a wealth of personal information.
“MyRCN web portal contains access to the billing portal, as well as to autopay setup,” Lomgrim told ZDNet. “Bill payment history is available for download for your entire tenure.
“You can also modify your security questions in the portal and the account password itself. Furthermore, MyRCN portal allows you to change your RCN Webmail password outright without having to provide the old password first.
“You can also update your billing address. In my view, if an attacker has access to this account, they can pull down all my statements, reset my RCN Email password (if I was using one), and set my billing address to something else, and disable paperless billing, so they can route my bills to their address,” Lomgrim added.
ZDNet reached out to RCN earlier today with several questions about the company’s practice. In an email, the company replied that is investigating the issue.
“RCN takes all our customer inquiries, concerns and feedback very seriously. We are looking into this matter; we are in contact with the customer and are gathering all the pertinent information,” Bill Sievers, Senior Vice President of Customer Service, RCN, told ZDNet via email. “We will provide updates as they become available.”
A quick Twitter search also reveals this has been going on for at least four years. The company has been pretty upfront on this policy since 2014, according to an older tweet.
“RCN reps have access to your webmail password and MyRCN password in case you were to ever forget them,” an RCN representative wrote on the official Twitter account in 2014 answering to a user complaining about the same thing –an RCN call center employee reading out the user’s password over the phone.
And there is also this four-year-old Reddit thread with the same complaint about RCN employees having access to customers’ passwords in cleartext.
But RCN isn’t the first or the last company to accidentally reveal on Twitter that it stores customer passwords in cleartext. Just a few months before, T-Mobile Austria admitted to the same practice.
Following multiple subsequent user complaints and a long stream of online ridicule and criticism, the company eventually implemented password-hashing as a way to stop employees or hackers from viewing the passwords in cleartext.
As for Lomgrim, the user hopes the ISP improves its security posture in regards to its password handling, somewhat regretting the media storm he may have caused.
“RCN has generally been my ISP of choice,” he told ZDNet. “Their customer service is regularly very responsible, and rare issues that do arise tend to be resolved quickly and well. They provide faster and better service, including gigabit, for prices that are much better than Comcast, without any contractual service obligations.”
The issue with storing passwords in cleartext is not as bad as other problems a company like RCN could face and is certainly something that the company could fix in a heartbeat if it ever reached the correct decision. There are many other ways of verifying a customer’s identity or solving technical problems without reading back the user’s password and asking if “is this is yours?”.