Customers of Comcast Xfinity have reported that their accounts were hacked using widespread attacks to bypass 2-factor authentication. The compromised accounts can then be used to reset passwords on other services such as Coinbase or Gemini cryptocurrency exchanges.
Many Xfinity users started receiving notification that their account information was changed on December 19, 2009. They were unable to log in because the passwords had changed.
They were able to access the accounts again after discovering they had been compromised. A secondary email was created at [email protected] and added to their account.
Xfinity is similar to Gmail in that customers can set up a second email address for account notifications or password resets.
BleepingComputer was first alerted to these hacking attempts by Xfinity customers who shared their stories with us. Other customers also shared the same reports via Reddit [1, 2, 3, Twitter, and Xfinity’s support forum.
We spoke with all Xfinity customers who said that they had two-factor authentication on their accounts. However, threat actors can bypass it to log into their accounts.
They were able to change my personal information and reset my password, bypassing 2FA. the email they setup was ,” explained an Xfinity customer on Reddit.
2FA bypass is rumored to be privately available
BleepingComputer has been informed by a researcher that these attacks use credential stuffing to obtain login credentials for Xfinity.
After they have gained access to the account, and are prompted for their 2FA code to confirm it, the attackers allegedly used a private OTP bypass for Xfinity that allowed them to make successful 2FA verification requests.
After logging in, users can modify the secondary email address to @yopmail.com and reset their passwords.
Notifications will be sent to the main Xfinity email. However, they will not have access because their password has also been changed.
After gaining full access to an Xfinity account email address, threat actors try to hack other online services that the customer uses, such as verifying the password reset request to the compromised email account.
BleepingComputer was informed by affected customers that hackers tried to reset the passwords for DropBox, Evernote and Coinbase cryptocurrency exchanges.
BleepingComputer was unable to independently verify whether this OTP bypass is legitimate and whether it was used in the hacks reported, but it could explain how threat actors gain access accounts that have 2FA enabled.
BleepingComputer reached Out to Comcast Press Contacts Several Times This Week, but still has not received a response to our emails.
Reddit user Xfinity Customer X1 said that they are aware of account breaches and were looking into the origin of hacking.
A Reddit user shared the following: “I talked to a second individual in the xfinity security team that advised me to not worry about my fraudulent yopmail accounts on my xfinity account. He indicated that it had occurred with many (maybe all?) xfinity accounts.”
She indicated that xfinity was still trying to locate the root cause of hack. This appears to be a more widespread problem than being reported. The security of xfinity e mail is not apparent at the moment.