Comcast Xfinity accounts hacked in widespread 2FA bypass attacks

Gandalf_The_Grey

Gandalf_The_Grey

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Apr 24, 2016
7,738
6
81,344
8,389
54
The Netherlands
Content source
https://www.bleepingcomputer.com/news/security/comcast-xfinity-accounts-hacked-in-widespread-2fa-bypass-attacks/
Comcast Xfinity customers report their accounts being hacked in widespread attacks that bypass two-factor authentication. These compromised accounts are then used to reset passwords for other services, such as the Coinbase and Gemini crypto exchanges.

Starting on December 19th, many Xfinity email users began receiving notifications that their account information had been changed. However, when attempting to access the accounts, they could not log in as the passwords had been changed.

After regaining access to the accounts, they discovered they had been hacked and a secondary email at the disposable @yopmail.com domain was added to their profile.

Similar to Gmail, Xfinity allows customers to configure a secondary email address to be used for account notifications and password resets in the event they lose access to their Xfinity account.
Click to expand...
A researcher has told BleepingComputer that the attacks are being conducted through credential stuffing attacks to determine the login credentials for Xfinity attacks.

Once they gain access to the account and are prompted to enter their 2FA code, the attackers allegedly use a privately circulated OTP bypass for the Xfinity site that allows them to forge successful 2FA verification requests.

Once logged into the account, they can change the secondary email to the @yopmail.com account and perform password resets.

The main Xfinity email will also receive a notification that their information was changed, but as the password has been changed as well, will be unable to access it.
Click to expand...
BleepingComputer reached out to Comcast press contacts several times this week but has yet to receive a reply to our emails.

However, an Xfinity customer posted on Reddit that the company is aware of the account breaches and looking for the source of the hacks.

"I spoke to a second person in the xfinity security department that told me not to worry about the fraudulent yopmail account on my xfinity account and indicated that this had happened with many (maybe all) xfinity accounts," a user posted to Reddit about the hacks.

"She indicated that xfinity is still working to find the source of the hack. Apparently this this is a much more widespread issue than is being reported. It does not seem that xfinity e-mail is secure at this time."
Click to expand...
www.bleepingcomputer.com

Comcast Xfinity accounts hacked in widespread 2FA bypass attacks

Comcast Xfinity customers report their accounts being hacked in widespread attacks that bypass two-factor authentication. These compromised accounts are then used to reset passwords for other services, such as the Coinbase and Gemini crypto exchanges.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • Wow
  • +Reputation
Reactions: [correlate], oldschool and harlan4096
Gandalf_The_Grey said:
credential stuffing attacks
Click to expand...
"
Credential stuffing is a type of brute-force attack that relies on automated tools to test large volumes of stolen usernames and passwords across multiple sites until one works. Credential stuffing preys upon two things:

  1. Many organizations still allow customers and employees to use password-only logins (without MFA).
  2. Users are so overwhelmed by the number of logins they have (upwards of 200 on average) that they resort to reusing passwords across multiple accounts.
"
 
  • Like
Reactions: [correlate]
blackice said:
Credential stuffing - use a unique password for each account. Easy peasy.

@Andrezj already covered.
Click to expand...
perhaps for you, but you are security minded, the vast majority of people out in userland are not, and from this the never ending lesson is that security software alone cannot protect them
when it comes to digital security, user behavior is a much greater determinant to safety than any other factor
 
  • Like
Reactions: [correlate] and oldschool
Andrezj said:
perhaps for you, but you are security minded, the vast majority of people out in userland are not, and from this the never ending lesson is that security software alone cannot protect them
when it comes to digital security, user behavior is a much greater determinant to safety than any other factor
Click to expand...
But credential stuffing isn’t a failing of Comcast. Articles like this scare people because they think they are helpless against hackers. The 2FA bypass is a MAJOR failing, but still not a viable hack without credential stuffing.
 
  • Like
Reactions: [correlate] and oldschool
blackice said:
But credential stuffing isn’t a failing of Comcast. Articles like this scare people because they think they are helpless against hackers. The 2FA bypass is a MAJOR failing, but still not a viable hack without credential stuffing.
Click to expand...
i did not say credential stuffing is a comcast failing, it is however users who make credential stuffing and password spraying an easy way to breach a system
users are at fault when they use the same password or easily cracked passwords
one cannot blame anyone else other than users - it is their habits that caused this very problem
they are not helpless but at the same time digital security and doing the things to stay secure are not the average person's priority
 
  • Like
Reactions: [correlate]
Andrezj said:
i did not say credential stuffing is a comcast failing, it is however users who make credential stuffing and password spraying an easy way to breach a system
users are at fault when they use the same password or easily cracked passwords
one cannot blame anyone else other than users - it is their habits that caused this very problem
they are not helpless but at the same time digital security and doing the things to stay secure are not the average person's priority
Click to expand...
Oh I sorry wasn’t accusing you of that. I should have made that more clear. I think the articles written about these types of things don’t do a good job of explaining to non-tech people what actually is happening, and how to easily avoid being a victim. It just scares people.
 
  • Applause
  • Like
Reactions: [correlate] and oldschool
blackice said:
Oh I sorry wasn’t accusing you of that. I should have made that more clear. I think the articles written about these types of things don’t do a good job of explaining to non-tech people what actually is happening. It just scares people.
Click to expand...
cybersecurity news is all about click-bait and page views, it is not about educating people
educating citizens about digital security is hardly done in society, so many people graduate from school or university and know next to nothing about cybersecurity, "i need to install av" is about the extent of knowledge
 
  • Like
Reactions: [correlate], oldschool and blackice
Andrezj said:
cybersecurity news is all about click-bait and page views, it is not about educating people
educating citizens about digital security is hardly done in society, so many people graduate from school or university and know next to nothing about cybersecurity, "i need to install av" is about the extent of knowledge
Click to expand...
Agreed
 
  • Like
Reactions: [correlate]
You must log in or register to reply here.

You may also like...