If you lease an Xfinity router from internet service provider (ISP) Comcast, you need to install a VPN as soon as possible.

According to security researchers Karan Saini and Ryan Stevenson, the telecom giant, which operates in 40 states as well as the District of Columbia, leaked router login informat through a website designed to allow users to activate their Xfinity devices. The news was first reported by ZDNet.

Saini and Stevenson found that the Xfinity router activation site had several security flaws. First, it sent the user’s SSID and password over the internet in plain text, making it readily available to anyone spying on the network. Second, it allowed users to “activate” accounts that had already been activated. Even worse, users only needed an account number and street address number (that’s right, not even a full address) to access the service.

In other words, someone could obtain your router’s SSID and password with nothing more than a Comcast bill pilfered from a mailbox or trash can, enabling them to gain unauthorized access to the device and use it to monitor unencrypted traffic on your wireless network.

Following the release of the explosive initial report, Comcast took down the service and said that it will “take all necessary steps to ensure that this doesn’t happen again.” However, the fact that it happened it all is one time too many, which should give users pause about continuing to pay to lease these devices from an ISP.

In any case, Xfinity router users should immediately install a VPN to ensure their network traffic is encrypted and masked from would-be snoopers.

Additionally, they should change the password to their routers, which will lock out anyone currently spying on their network traffic (but will not protect them if a similar bug is found in the future).

Featured Image from Pixabay