Comcast Xfinity customers report their accounts being hacked in widespread attacks that bypass two-factor authentication. These compromised accounts are then used to reset passwords for other services, such as the Coinbase and Gemini crypto exchanges.
Starting on December 19th, many Xfinity email users began receiving notifications that their account information had been changed. However, when attempting to access the accounts, they could not log in as the passwords had been changed.
After regaining access to the accounts, they discovered they had been hacked and a secondary email at the disposable @yopmail.com domain was added to their profile.
Similar to Gmail, Xfinity allows customers to configure a secondary email address to be used for account notifications and password resets in the event they lose access to their Xfinity account.
Source: BleepingComputer
BleepingComputer first learned of these account hacks after numerous Xfinity customers reached out to us to share their experiences. In addition, other customers shared similar reports on Reddit [1, 2], Twitter [1, 2, 3], and Xfinity's own support forum.
All Xfinity customers we spoke to said they have two-factor authentication enabled on their accounts, yet the threat actors could bypass it and log in to their accounts.
"Someone was able to reset my password and change personal account information, they bypassed 2FA. the email they setup was xxxxxxxx@yopmail.com," explained an Xfinity customer on Reddit.
2FA bypass allegedly circulating privately
A researcher has told BleepingComputer that the attacks are being conducted through credential stuffing attacks to determine the login credentials for Xfinity attacks.
Once they gain access to the account and are prompted to enter their 2FA code, the attackers allegedly use a privately circulated OTP bypass for the Xfinity site that allows them to forge successful 2FA verification requests.
Once logged into the account, they can change the secondary email to the @yopmail.com account and perform password resets.
The main Xfinity email will also receive a notification that their information was changed, but as the password has been changed as well, will be unable to access it.
Source: BleepingComputer
Once they gain full access to an Xfinity email account, the threat actors attempt to breach further online services used by the customer, verifying password reset requests to the now compromised email account.
BleepingComputer has been told by some of the affected customers that the hackers attempted to reset passwords at DropBox, Evernote, and the Coinbase and Gemini cryptocurrency exchanges.
While BleepingComputer has been unable to verify the legitimacy of this OTP bypass independently and whether it has been used in the reported hacks, it would explain how the threat actors can gain access to accounts with 2FA enabled.
BleepingComputer reached out to Comcast press contacts several times this week but has yet to receive a reply to our emails.
However, an Xfinity customer posted on Reddit that the company is aware of the account breaches and looking for the source of the hacks.
"I spoke to a second person in the xfinity security department that told me not to worry about the fraudulent yopmail account on my xfinity account and indicated that this had happened with many (maybe all) xfinity accounts," a user posted to Reddit about the hacks.
"She indicated that xfinity is still working to find the source of the hack. Apparently this this is a much more widespread issue than is being reported. It does not seem that xfinity e-mail is secure at this time."
Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Comments
static_nuance - 2 years ago
I'm a comcast customer and can confirm that this has happened to me 3-4 times now. Once back in early November when I thought that it must have been something I screwed up, and now about 2-3 times over the past 48 hours. There is a significant issue and Comcast isn't saying or doing anything about it.
Also, I posted this article over at the Comcast_Xfinity subreddit, and they locked it and basically said everything was fine. Wow..
BabzE - 2 years ago
im SO angry! I’ve had unknown modems other iOS devices a pixel six etc. attached to my xfinity mobdem. But new phone from iOS 13 and now my phone is screwed I am redirected I know I’m not talking to xfinity and I cannot get any resolve I’ve been there talk ing to them since December 16 every day and I still can’t get a callback from the highest level security any help nothing I am fed up this is fraud! They were hacked by a botnet and they know it and it pisses me off at now I am tied in one too! Why aren’t people talking about botnets /cell phone farming and modems that’s how they come in and thru the modems they change all the trusted certificates and I could see nefarious trusted certificates in the account that I’ve never been able to log into!! they don’t seem to care about helping there are no answers there’s nothing how is this legitimate?? I know their payment methods with third-party vendor were hacked because my automatic payment didn’t come out December 8 now I’m late with the payment and they can’t take online payments which means raw screwed! I need help I can no longer get into the Xfinity modem app , how do I log into an account that I’ve never been able to get into since September when I joined up with them ?? i have unknow Arrris modems, ect…misc devices are attached and I have screenshots of all of them. Xfinity doesn’t give a damn and I get transferred from different department a different department a different apartment, and finally when I do get to security and up two levels all of a sudden the name on my account is different from the one I’m giving them! You think that might be a sign to them??? I need some help here anybody? I can see through the analytics on my phone I’m screwed and have been. I don’t ever know if my phone is being redirected I don’t own any computers anymore because in 2016 the business I was running was taking over by a botnet it called WannaAtTackU… a variation of wanna make you cry which is what a tech target corporation. I need help I’ve had 86 different Gmail addresses there’s an iOS account manager attached to this phone I can’t get any help from the modem people nor Apple support! I understand their capabilities people don’t understand you just can’t wipe a device you can’t just wipe a computer because they come in through the modem and change your trusted certificates they’ve already made those changes in your device so when you reboot him the memory comes back that’s been changed. I learned this the hard way then and I can’t get rid of it can anybody please help me???
xafase - 2 years ago
Sign up for MFA they say. It is more secure they say. Nope, hacker go after the tokens.
BabzE - 2 years ago
I want to apologize in advance …. My eyesight isn’t very good and I have the worst speech to text program on the planet …. I hope you can read through the misspellings and figure out what I’m trying to say . The problem is when they come in to your modem any device you have they’re going to go in and you’re not gonna know what you don’t know it right away but they change those trusted certificates in any device you have your phone your tablet your computers. And I when does bass computer check your trusted users. You’ve got more than three (system/admin/user). I will never ever use a second way of identifying myself! I’m stuck with it with Apple. They’re Genius Bar say oh don’t look at those analytics…REALLY?? not so genius it’s the coding to your system it helps you see what’s changed and they pretend they know nothing about it the problem with these helpdesk is none of them are IT educated they’re only device educated and nobody’s gonna admit that they’re device has been hacked. In 2016 I said they were going to take down the power grid or the water source…. And they keep hacking them….. then dangling carrots in front of the gamers in the cell farming b.s. Go ahead notice that weird glitch in your phone, shrug your shoulders and continue banking…. You know and if you’ve got any sort of antivirus on a Windows based computer or any other Security or VPN…. They’re going to change the settings on that VPN and in the antivirus. Everything looks just fine…. On your side of the screen…. Not so much on the back end. You can buy a brand new computer in the box never plugged in but I highly recommend when you do get it the first thing you do is look at the event logs…. As long as that device as a Wi-Fi capability anybody with an infected device can walk in and they can grab it….. this sounds like a bad sci-fi movie, but it’s not. I let’s think about that…. What happens when the majority of the devices are hacked? Think about everything that’s powered by the Internet…. Gas, banking almost every medical device in a hospital, transportation, etc. We will all be screwed and this world will come to a screeching halt and we will be at the mercy of whoever is the source of this….me? I believe all of the powers that be absolutely know this is happening…. And are part of the orchestration. We are determined the have and the have Nots…. Just like the real old era of old. The only middle class then was a butler or the upstairs maid. At the end of the day we can’t do a damn thing about it all we can do is take care of each other! Comcast no doubt knew there was an issue, especially when the processing comp they use gets hacked…. It’s only sites like this and Tom’s hardware that let us have a place to talk about it! So now I can’t get into my modem, never been able to get into my Comcast email or account…. And now every phone call I make to them is being redirected. I’m 60 years old not a dumb woman, and people think that I am out of my mind…. Especially back then. Nobody wants to hear this, but sticking are freaking heads in the sand does not help! Being aware of it and knowing there’s nothing you can do is a tough nut to swallow…. I do everything old school now. Sadly everybody wants you to go to the web put all your information and etc.. I just phone to text message is from last December 7 that said that my reloading of my IRS prepaid card had gone through!! what???? I don’t have an IRS prepaid card and Ike I’m not being allowed into the government website because my IP address has been compromised. Go figure…. I wish you all love and light and bleeping computer, if you have any idea how to unravel this without whatever listing and watching my every move I’d appreciate it, beyond words. I used to live and almost 6 grand a month and now I live in 1400 on disability. I can’t afford to lose one dime, and fear is a lie in itself…. I would sure like to get together with like-minded people at least to be able to discuss the topic. Maybe that’s what we should be doing do you know anyone else who’s been attacked by a botnet? Or had their business compromised? Because I’d love to be in touch with them. If nothing else , I guess it’s a way to release our anger at something else controlling everything our lives….. and it’s far from over my friends.
BabzE - 2 years ago
my life has been a living hell ever since. Knowing that somebody is constantly monitoring you and you don’t know who it is and you have no idea what their purposes is unsettling at least. People have got to be aware and I am really glad I was able to help. To those of us who have lost businesses and lost our sense of safety and security along with the way we used to live our lives? I wish I could find you too so we could start up a conversation. And wishing you all the best, and again I’m glad I could help enlighten. Pay attention people this shit is real
drewsecure80 - 2 years ago
This news is very concerning. I set up a rule for my company to have all comcast.net emails redirected to quarantine until comcast can get their act together. We sent a notification to all employees as well.
BabzE - 2 years ago
good for you!! but the real key is is that you have to watch your MODEMS!! this is not a virus it’s not a Trojan horse… it’s far worse and you can’t recover your shit! Running that business, knowing what was happening… I had over 600 clients at that particular location and I wouldn’t take their credit card payments any longer! Cash or check only. The owners and I had a very large fight about that, but I love my clients and I wouldn’t do nothing to harm them. Finding out that I was embroiled in it was even harder in my life has never been the same. After nine years I left that company, because they refused to allow me not to take credit cards any longer despite what they knew. I cannot live like that. Integrity is something I will never let go of our compromise! Protect yourself your employees and your clients. I wish you love and light!
ftcm207 - 2 years ago
This happened to an IT client of mine in April 2021. The hackers got even with 2FA on. Comcast support said they’d get back to my client to explain how but never did.
We made a mad dash to change all my client’s online bank and other important accounts’ email address to a gmail address with real 2FA.
I emailed everyone I know who use comcast email and warned them. Most, maybe all, ignored me.
Sounds like the problem is much more wide speead now.
Even after the change, my client had to check several times a day to make sure the hacker didn’t switch their email area back to the forwarding setting.
Once you have a better email service, make your comcast forward to it, but keep checking daily to make sure no one changes it. Then keep changing your online accounts to the new email and tell friends etc. It’s very intense but you can do it.
BabzE - 2 years ago
OK you’ve got to be clear on this this is not a phishing scam or attack it is not a Trojan horse and it is not a virus! Please tell me that he went into his modem and look into it day one! Please tell me he change the default password and looked around inside his modem! And we should be doing that once a week…. Any changes should be noted immediately…. Once they’re in their modem they’re an every single one of your devices with your attached to your Wi-Fi or not! I was just told that was another Arris modem that connected to my network. And then it disconnected after I restarted the gateway….. the operating system is unknown the connection is unknown. This is my friend is when you need to call in the Feds, because this is FCC violation and your friends identity is going to be compromised, if it hasn’t been already. This is no joke, there is no correction to this. This is far greater than the mind could ever imagine it be! Nobody reports this. But you have to if you want to keep yourself safe from the false purchases etc., that will be made on your accounts. I’ve done everything imaginable to unlock my cell finesse and I am not a dumb woman! In fact I’m a highly intelligent woman. It’s taking me years to get over the rage I felt, however there’s not a damn thing I can do about it, not alone anyway. And I am the only one I know that has gone through this or at least admit to it. Everybody wants to keep their head in the sand and doing that it’s gonna cost us globally!
BabzE - 2 years ago
That makes me so sad to hear…. And once again that two FA screws us. The problem now is that just changing those passwords on whatever device he uses, it’s too late. That’s the problem with a botnet! Once it’s in your device it will always be in your device and anything that your client does on any of his devices will be seen! There’s no getting away from it or around it. I have an iPhone 13 and I’ve never backed up to the cloud. Ever. Yet my cell phone usage says that there is 1.8 gigs backed up to my cloud. The settings on my phone say zero. I could go on and on and on, but it’s too late for your friend. He needs to put a freeze on every single one of the credit reporting bureaus. Reported to the IRS as well. Devices I have owned since 2016, no matter what state I’m living in ( I’ve lived in three different state since 2016) , doesn’t matter. irs.gov, will not allow your friend into their servers because they’re IP address is compromised. The only reason I have an apple phone is because I can see the analytics, which every single tech-support person at Apple said…. Oh don’t look at that ignore it. WHAT? That’s what’s driving the operation of my device! I’d love to actually talk to somebody there who is further educated prior to ( Fill in Corp name here) working for that company. I’m so sorry for your friend. He’s going to be have to be hyper vigilant now. His information we sold on the dark web, and either bought by a smash and grab type individual…. Or ones that will take a year maybe two or just six months before they try to withdraw five dollars or so from the account. It’s a very sad world we live in my friend and I was in the very best. If you talk to this person and he wants to talk to me I’m more than willing. God bless and merry Christmas
static_nuance - 2 years ago
Well, it’s been nearly 10 days and this breach continues to be exploited every day. The only solution, other than staying up at all hours defending your account is to have Comcast change the name of your userID/email to something unknown to the hackers. This, at least for now, has stopped the attacks but also ended the usefulness of this email.
Comcast has been silent on the issue.
JettaRed - 2 years ago
Me, too. Incredibly aggravating. I finally got one of the Xfinity security specialists to put a "lock" on my account. In my case, it was one of the secondary Comcast accounts associated with my primary account. However, my primary account was also hacked and had the bogus yopmail address added.
My primary account was hijacked (stolen) two years ago and it took about two weeks to get it back. Because of the way it was stolen, I am convinced it was an "inside job" since it required admin access to the customer database. The hijacker tried a SIM Swap on my phone but failed. Coinbase was the only account also attacked. I NEVER use my Comcast email for any important registrations anymore.
BigsIs - 2 years ago
Bull*hit I dont even know where to start I got messed up because I wanted to cancel a subscription went to the web so I Xfinity dial the number hook me up to somebody named John and I was taking for a ride went to my email to see that the subscription have been canceled so I immediately that my password have been changed not 10 minutes later I'm on the phone with my bank canceling everything don't even know how long this is going to last the majority of these stories as scary as all get out so I think I'm going to call Wate Channel 6 news here and get Don Dare on it to at least expose this nonsense because if we just right here how we feel we're getting no place like you said no one's being held accountable and other people are going to fall into the same trap we're in time to fix well fix is the wrong word time to expose!
GeekyMom - 1 year ago
I can tell you it's happening again. This has happened so many times and it just happened again this week - this time it wasn't a yopemail they just edited my email with a completely fake ending. I think after 20+ years of having this email address, I may have to change it. This is a huge concern as there are probably many companies who have the same security hole. This is not okay to ignore. Email can have a lot of personal information, even when you are careful.
static_nuance - 1 year ago
Well it's been about 15 months this this was first posted and it just happened to me again. Comcast still can't seem to get a handle on their security with bad actors bypassing 2FA on customer accounts.