Comcast Xfinity accounts are being attacked in 2FA bypass attacks

Someone found a way to bypass the two-factor authentication (2FA) security measure at Comcast Xfinity and compromise countless accounts, reports have claimed. 

Following the bypass, the attackers are able to use the compromised accounts to try and take over cryptocurrency exchange accounts and cloud storage services.

On December 19 Xfinity email users started getting notified of changes to their account information, but their passwords were already changed so they couldn’t enter. Those that managed to get back into the account found that a secondary email address was added to the account, from a disposable domain

Bypassing 2FA

The secondary email address is a security measure used by some email providers that help with password resets, account notifications, and similar. 

Many of the victims took to Twitter, Reddit, and Xfinity forums to discuss what had happened, and said that they had 2FA enabled. So, whoever was behind the attack, managed to guess the password with credential stuffing, and then managed to bypass the two-factor authentication security measure. BleepingComputer’s report states the attackers used a “privately circulated OTP (one-time password) bypass” which allowed them to generate working 2FA verification codes.

That gave them access to the account, and adding the secondary, disposable email account, allowed them to perform the password reset process.

After gaining complete control over the compromised email accounts, the threat actors then proceeded to breach further online services, assuming people’s identities to request email resets. Dropbox, Evernote, Coinbase, and Gemini, are just some of the services that the threat actors tried to breach.

Xfinity is keeping silent on the matter for the time being, but a customer said on Reddit that the firm is aware of the incident and is currently investigating. The same source also said that according to a customer support employee they spoke to, the issue seems to be quite widespread.

Via: BleepingComputer

Go to Source