Comcast Xfinity accounts hacked in widespread 2FA bypass attacks

Gandalf_The_Grey

Level 78
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,770
Comcast Xfinity customers report their accounts being hacked in widespread attacks that bypass two-factor authentication. These compromised accounts are then used to reset passwords for other services, such as the Coinbase and Gemini crypto exchanges.

Starting on December 19th, many Xfinity email users began receiving notifications that their account information had been changed. However, when attempting to access the accounts, they could not log in as the passwords had been changed.

After regaining access to the accounts, they discovered they had been hacked and a secondary email at the disposable @yopmail.com domain was added to their profile.

Similar to Gmail, Xfinity allows customers to configure a secondary email address to be used for account notifications and password resets in the event they lose access to their Xfinity account.
A researcher has told BleepingComputer that the attacks are being conducted through credential stuffing attacks to determine the login credentials for Xfinity attacks.

Once they gain access to the account and are prompted to enter their 2FA code, the attackers allegedly use a privately circulated OTP bypass for the Xfinity site that allows them to forge successful 2FA verification requests.

Once logged into the account, they can change the secondary email to the @yopmail.com account and perform password resets.

The main Xfinity email will also receive a notification that their information was changed, but as the password has been changed as well, will be unable to access it.
BleepingComputer reached out to Comcast press contacts several times this week but has yet to receive a reply to our emails.

However, an Xfinity customer posted on Reddit that the company is aware of the account breaches and looking for the source of the hacks.

"I spoke to a second person in the xfinity security department that told me not to worry about the fraudulent yopmail account on my xfinity account and indicated that this had happened with many (maybe all) xfinity accounts," a user posted to Reddit about the hacks.

"She indicated that xfinity is still working to find the source of the hack. Apparently this this is a much more widespread issue than is being reported. It does not seem that xfinity e-mail is secure at this time."
 

Andrezj

Level 6
Nov 21, 2022
248
credential stuffing attacks
"
Credential stuffing is a type of brute-force attack that relies on automated tools to test large volumes of stolen usernames and passwords across multiple sites until one works. Credential stuffing preys upon two things:

  1. Many organizations still allow customers and employees to use password-only logins (without MFA).
  2. Users are so overwhelmed by the number of logins they have (upwards of 200 on average) that they resort to reusing passwords across multiple accounts.
"
 
  • Like
Reactions: [correlate]

Andrezj

Level 6
Nov 21, 2022
248
Credential stuffing - use a unique password for each account. Easy peasy.

@Andrezj already covered.
perhaps for you, but you are security minded, the vast majority of people out in userland are not, and from this the never ending lesson is that security software alone cannot protect them
when it comes to digital security, user behavior is a much greater determinant to safety than any other factor
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,839
perhaps for you, but you are security minded, the vast majority of people out in userland are not, and from this the never ending lesson is that security software alone cannot protect them
when it comes to digital security, user behavior is a much greater determinant to safety than any other factor
But credential stuffing isn’t a failing of Comcast. Articles like this scare people because they think they are helpless against hackers. The 2FA bypass is a MAJOR failing, but still not a viable hack without credential stuffing.
 

Andrezj

Level 6
Nov 21, 2022
248
But credential stuffing isn’t a failing of Comcast. Articles like this scare people because they think they are helpless against hackers. The 2FA bypass is a MAJOR failing, but still not a viable hack without credential stuffing.
i did not say credential stuffing is a comcast failing, it is however users who make credential stuffing and password spraying an easy way to breach a system
users are at fault when they use the same password or easily cracked passwords
one cannot blame anyone else other than users - it is their habits that caused this very problem
they are not helpless but at the same time digital security and doing the things to stay secure are not the average person's priority
 
  • Like
Reactions: [correlate]

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,839
i did not say credential stuffing is a comcast failing, it is however users who make credential stuffing and password spraying an easy way to breach a system
users are at fault when they use the same password or easily cracked passwords
one cannot blame anyone else other than users - it is their habits that caused this very problem
they are not helpless but at the same time digital security and doing the things to stay secure are not the average person's priority
Oh I sorry wasn’t accusing you of that. I should have made that more clear. I think the articles written about these types of things don’t do a good job of explaining to non-tech people what actually is happening, and how to easily avoid being a victim. It just scares people.
 

Andrezj

Level 6
Nov 21, 2022
248
Oh I sorry wasn’t accusing you of that. I should have made that more clear. I think the articles written about these types of things don’t do a good job of explaining to non-tech people what actually is happening. It just scares people.
cybersecurity news is all about click-bait and page views, it is not about educating people
educating citizens about digital security is hardly done in society, so many people graduate from school or university and know next to nothing about cybersecurity, "i need to install av" is about the extent of knowledge
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,839
cybersecurity news is all about click-bait and page views, it is not about educating people
educating citizens about digital security is hardly done in society, so many people graduate from school or university and know next to nothing about cybersecurity, "i need to install av" is about the extent of knowledge
Agreed
 
  • Like
Reactions: [correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top