Xfinity accounts breached despite 2FA
In an extensive two-factor authentication bypass campaign, multiple Comcast Xfinity email accounts were hacked, and the disrupted accounts were used to reset passwords for other services. This comes shortly after Comcast Xfinity announced price increases for the new year.
The users are lamenting across social media that, despite the use of two-factor authentication, customers of the American telecommunications company reported that their accounts had been hacked. They also stated that the attackers are using the compromised accounts to gain access to and hijack the victims’ other services, including Evernote, Dropbox, and the cryptocurrency exchanges Coinbase and Gemini.
Attackers began sending notifications to Xfinity email users about changes to their account information on December 19, and users who initially couldn’t access their accounts due to changed passwords eventually discovered their accounts had been hacked and included a secondary email at the @yopmail.com domain.
Meanwhile, according to a researcher, the attacks are being carried out using credential stuffing attacks to determine the login credentials for Xfinity attacks. The researcher went on to explain that once the attackers gain access to the account and are prompted to enter their 2FA code, they allegedly use a privately circulated OTP bypass for the Xfinity site to forge successful 2FA verification requests. Once logged in, they can change the secondary email address to the @yopmail.com account and reset passwords.
“Starting on December 19th, many Xfinity email users began receiving notifications that their account information had been changed. However, when attempting to access the accounts, they could not log in as the passwords had been changed,” BleepingComputer reported. “After regaining access to the accounts, they discovered they had been hacked and a secondary email at the disposable @yopmail.com domain was added to their profile.”
Xfinity’s response to a users complaint after the user’s account was compromised twice in 4 hours, was that the user should engage in a struggle with the hackers, and keep changing password back every time after they changed it.
Comcast has not yet issued a public response.
The sources for this piece include an article in BleepingComputer.