Customers of Xfinity, by Comcast, have reported their accounts being hacked in 2FA-bypass attacks. The accounts are being used to reset passwords for other services, such as Gemini and Coinbase, as well.
How did the attack happen
From December 19 onward, Xfinity email users started receiving notifications that their account information was changed.
According to a researcher, credential-stuffing attacks were launched against users’ email IDs to break into their accounts.
Once attackers gain access, and the system prompts for 2FA code, they allegedly use a privately circulated OTP bypass mechanism to forge 2FA verification requests for the Xfinity site.
Discussing the damage
When users attempted to access the accounts, they realized that passwords were also changed.
In some cases, after the users regained access to the accounts, they spotted that a secondary email at the disposable @yopmail[.]com domain was added to their profile.
Several customers shared their experiences about these hacks on Reddit, Twitter, and Xfinity's support forum. All the hacked customers were reported to have two-factor authentication enabled on their accounts.
Users’ primary Xfinity email receives a notification regarding the information change. However, users could not see that as the password has been changed.
Some of the affected customers have claimed that the attackers tried to reset passwords at multiple services such as DropBox, Evernote, Coinbase, and Gemini cryptocurrency exchanges.
Conclusion
According to the firm, this is a more widespread issue than is being reported and more information will be revealed after the investigation. Moreover, the source of the hack was unclear. For now, Xfinity customers are requested to stay vigilant.