Andy Weir is the creator of Mark Watney, a fictional astronaut who can solve any problem the harsh environment of Mars throws his way.
But Weir, author of The Martian, ran into a tricky problem on Earth this week when his e-mail and Twitter accounts were hacked. The culprit, he says, was a hacker who reset the password for his Comcast.net e-mail account by calling Comcast and pretending to be him. Comcast let the hacker take control of his e-mail account after asking “security questions” for which the answers were easy to find, according to Weir.
“Well I got hacked,” Weir wrote on Facebook last night. “Someone compromised my e-mail account and twitter account. I don’t know how they got the password. My guess is they socially engineered a password reset on my e-mail account, and they used that to do a password reset on Twitter. They also set up an e-mail forward to an account they control, so even after I changed my e-mail password they were still getting my e-mails until I found that. Whee.”
Today, Weir said he found out how his e-mail account was taken over. Here’s his latest update:
So I found out how the hacker got control of my e-mail address.
I wanted to know what timespan the hacker had control of my account, so I called Comcast to find out when the password was initially changed. Turns out the hacker had control for a little over an hour. Oh and by the way that password change was done by a Comcast customer service rep.
Yup. The hacker got control of my e-mail account by calling Comcast. From there, the conversation went something like this:
Me: So, I’d like you guys not to give control of my account to people who call you, no matter how nicely they ask.
Comcast: We ask several security questions. The hacker had to know a ton of personal information about you to pull this off.
Me: Really? Because when I called to reclaim control of the account all you guys asked for was my street address and the last four digits of my social security number. Is that actually all you need to know to take over a Comcast e-mail account? Because that stuff isn’t too hard to find out about people.
Comcast: (awkward silence)
Me: Seriously? Is that your entire validation process? You know my phone number; you have it on file. You could text me for verification or call me back.
Comcast: We do that for customers who have their phone service through Comcast.
Me: And for the millions of us who don’t?
Comcast: (awkward silence #2)
So anyway, now my account is flagged and any password changes require a call in to their security department and it requires knowing a special code.
We’ve contacted Comcast about the alleged incident with Weir’s e-mail password. We also asked Comcast if what Weir described is the standard protocol for changing e-mail passwords and whether Comcast offers any additional security protections like two-factor authentication. We’ll update this post if we receive a response.
A Comcast customer’s primary username and password is used to manage the customer’s cable account and check e-mail, according to a Comcast support page.