Comcast Xfinity customers report their accounts being hacked in widespread attacks that bypass two-factor authentication. These compromised accounts are then used to reset passwords for other services, such as the Coinbase and Gemini crypto exchanges.
Starting on December 19th, many Xfinity email users began receiving notifications that their account information had been changed. However, when attempting to access the accounts, they could not log in as the passwords had been changed.
After regaining access to the accounts, they discovered they had been hacked, and a secondary email at the disposable @yopmail.com domain was added to their profile.
Similar to Gmail, Xfinity allows customers to configure a secondary email address to be used for account notifications and password resets in the event they lose access to their Xfinity account.
“Someone was able to reset my password and change personal account information; they bypassed 2FA. the email they set up was xxxxxxxx@yopmail[.]com,” explained an Xfinity customer on Reddit.
A researcher has revealed that the attacks are being conducted through credential stuffing attacks to determine the login credentials for Xfinity attacks.
Once they gain access to the account and are prompted to enter their 2FA code, the attackers allegedly use a privately circulated OTP bypass for the Xfinity site that allows them to forge successful 2FA verification requests.
Once logged into the account, they can change the secondary email to the @yopmail.com account and perform password resets.
The primary Xfinity email will also receive a notification that their information was changed, but as the password has been changed, they will be unable to access it.
Once they gain full access to an Xfinity email account, the threat actors attempt to breach further online services used by the customer, verifying password reset requests to the now compromised email account.
Some have told the affected customers that the hackers attempted to reset passwords at DropBox, Evernote, and the Coinbase and Gemini cryptocurrency exchanges.
However, an Xfinity customer posted on Reddit that the company is aware of the account breaches and looking for the source of the hacks.
“I spoke to a second person in the Xfinity security department that told me not to worry about the fraudulent Yopmail account on my Xfinity account and indicated that this had happened with many (maybe all) Xfinity accounts,” a user posted to Reddit about the hacks.
“She indicated that Xfinity is still working to find the source of the hack. This is a much more widespread issue than is being reported. It does not seem that Xfinity e-mail is secure at this time.”
