The passwords of as many as 320,000 Time Warner residential customers may have been stolen in a hacking attack, the company has confirmed.

The company will not say whether any of its approximately 380,000 Maine customers may have been affected, responding to requests for Maine specifics with the answer that the breach included “residential customers across our markets.” Time Warner, the largest cable provider in Maine, has 16 million business and residential customers in 29 states, according to its website.

Company spokeswoman Nathalie Burgos said in an email Thursday that the company was contacting customers through email and direct mail so they can “take precautions to protect their accounts and update their passwords using a strong, unique alternative.”

People who use Roadrunner email accounts, which is Time Warner’s email service and has an tag, are of particular concern, Burgos said. Exposed email accounts could contain sensitive personal and financial information, she said.

Burgos said the emails and passwords probably were stolen previously through malware — harmful computer software and viruses — downloaded through digital attacks or indirectly through data breaches of third-party companies that stored Time Warner customer information, including email.

“Our understanding is that the compromise had nothing to do with TWC’s systems or processes,” Burgos said in her email. “We haven’t yet determined how the information was obtained, but there are no indications that our systems were breached.”

Internet security expert Ed Sihler said Thursday the severity of such a breach depends on what people used their Time Warner email accounts for. If customers used their email to deal with credit cards and other sensitive personal information such as tax accounts or their messages contained Social Security numbers, there could be a problem, said Sihler, who is the technical director for the Maine Cyber Security Cluster at the University of Southern Maine in Portland.

If the email account was used only for junk mail or not used at all, there is little threat, but users should change their email passwords to prevent being used as a platform to send spam, he said.

The FBI recently notified the company that some customers’ email addresses, including account passwords, may have been compromised, Burgos said. The company estimates as many as 320,000 could be affected.

Joshua Silver, a shareholder at the Bernstein, Shur, Sawyer & Nelson law firm in Portland who specializes in cybersecurity, said it is likely that the actual number of Time Warner customers affected by the breach far exceeds the company’s initial estimate of 320,000, which is exactly 2 percent of the company’s 16 million-customer base.

He cited other large, national incidents such as the 2013 Target Brands Inc. breach, in which the discount retailer’s initial estimates fell far short of the 70 million people now believed to have been affected.

“That’s almost always the case,” Silver said. “You get lowballed in the beginning.”

Sihler said the best technique to protect personal accounts from data breaches is to change passwords regularly and make them challenging to break.

A customer might not even realize an account had been compromised if all a hacker does is read a few emails. On the other hand, if someone starts sending out spam to people from the email account, “the user notices fairly quickly because of the angry responses that fill the inbox,” Sihler said.

Time Warner customers who don’t use the company’s email service probably won’t be affected by the breach, he added.

“It doesn’t sound like they got into the billing database, so they didn’t get billing information directly,” Sihler said.

Sihler said the number of people possibly affected by the issue seemed small considering Time Warner’s size. “It sounds like from what I’m reading that someone has gotten a password database,” Sihler said. “I would expect the number of accounts (affected) to go up if it was an actual breach.”

Sihler said the scale of the problem doesn’t indicate that hackers got into a geographic server, and the problem could be as simple as an employee misplacing a USB stick with password information, he said.

Burgos also said the company has “several tips on how to navigate the Web more carefully and avoid phishing schemes on our website.” Phishing refers to a practice in which criminals try to access sensitive information or install harmful software by posing as legitimate sources, such as banks or other financial institutions, through email and social media.

Sihler said it is also unclear whether the passwords were encrypted when they were stolen. If the passwords were encrypted, it could take hundreds of days for whoever wanted them to put them into plain language, Sihler added.

The Winslow and Waterville police departments warned the public about the security breach in Facebook posts Thursday morning.

Waterville Deputy Chief Charles Rumsey said Thursday his department had not received any complaints in response to those posts.

“It stands to reason we will find out some people in the state were affected, but we have heard nothing yet,” Rumsey said.

Portland Press Herald staff writer J. Craig Anderson contributed to this report.


Peter McGuire — 861-9239

[email protected]

Twitter: @PeteL_McGuire

Only subscribers are eligible to post comments. Please subscribe or to participate in the conversation. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.