Researchers have observed numerous reports from Comcast Xfinity customers regarding their accounts being hacked by threat actors. Based on reports, the hack is caused by the actors’ successful bypass of 2FA authentication.
Moreover, the attackers used the compromised accounts to change passwords for other services, such as the Gemini and Coinbase crypto exchanges.
Last week, numerous Xfinity email users started receiving notifications that their account credentials had been altered. However, the notification recipients could not log in to their accounts after trying since they had changed their passwords.
After regaining control of their accounts, users discovered that they had been hacked, and hackers included a secondary email at a disposable domain in their profile.
Comcast Xfinity users could also create another email address for other services.
Comcast Xfinity enables its users to organise a secondary email address to be used by them for account notifications and password resets. This feature is like Gmail, in which users can reset their passwords if they have lost access to their accounts.
Most of the Xfinity customers impacted by the attack were sure that their accounts were 2FA-enabled, but the threat actors have still managed to bypass the program and breach into their emails.
A researcher claimed that the recent email intrusion campaigns are being operated through credential-stuffing techniques. The campaign operators use this tactic to identify the login credentials for Xfinity accounts.
Upon gaining access to a targeted account, the actors face the 2FA code verification, which they could bypass easily. Reports explained that the attackers use a privately traded OTP bypass for the Xfinity site, enabling them to get the two-factor authentication verification requests.
Once they have breached the account, they could alter the secondary email to the @yopmail[.]com account and reset the password.
The primary Xfinity email will also get a notification that someone has altered their credentials. However, the actual user will not be able to get inside their accounts since the actors have also changed the password.
Finally, once the actors have full access to a targeted Xfinity email account, the threat actors could attempt to breach further online services utilised by the customer.
