The Xfinity site asked for a person's account ID and home address in order to activate that home's router, but once you entered this information it showed that home's router name and password in plaintext, reported ZDNet on Monday. You could use this service to get anyone's Wi-Fi name and password as long as you had their account ID or address -- both easily available in any discarded bill.
You didn't even need that person's full address to get their Wi-Fi info, according to ZDNet, which said a house or apartment number was enough to show the rest of their address.
Once logged in using an account number and address, you also had the option of changing the Wi-Fi name and password, potentially locking the owner out.
Comcast confirmed to CNET that this service is no longer active, and that the issue was addressed hours after the company found out about it. If you go to the Xfinity website now, you'll see that you have to verify your account with a username and password or verification code sent to your phone.
A Comcast spokesperson gave the following statement:
"There's nothing more important than our customers' security. Within hours of learning of this issue, we shut it down. At no time did this site enable anyone to access customers' personal usernames and passwords and we have no reason to believe that any account information was accessed. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn't happen again."
Updated 11:35am PT: Added Comcast's confirmation and statement.