Comcast Xfinity customers are reporting that their accounts have been hijacked in widespread attacks that bypass two-factor authentication. These compromised accounts are then used to reset passwords for other services, such as crypto exchanges Coinbase and Gemini.

Starting December 19, many Xfinity Mail users began receiving notifications that their account information had changed. However, when they tried to access the accounts, they could not log in because the passwords had been changed.

After regaining access to the accounts, they discovered they had been hacked and a secondary email on the disposable domain @yopmail.com was added to their profile.

Similar to Gmail, Xfinity allows customers to set up a secondary email address to use for account notifications and password resets in case they lose access to their Xfinity account.

BleepingComputer learned about these account hacks after many Xfinity customers contacted us to share their experiences. Also, other customers have shared similar reports on Reddit [1, 2]Twitter [1, 2, 3]and that of Xfinity support forum.

All Xfinity customers we spoke to said they had two-factor authentication enabled on their accounts, but threat actors could bypass it and log into their accounts.

“Someone was able to reset my password and change my personal account information, they bypassed 2FA. the email they set up was xxxxxxx@yopmail.com“, explained an Xfinity customer on Reddit.

2FA bypass allegedly circulating privately

A researcher told BleepingComputer that the attacks are carried out through credential stuffing attacks to determine login credentials for Xfinity attacks.

Once they gain access to the account and are prompted to enter their 2FA code, attackers would use a privately broadcast OTP bypass for the Xfinity site that allows them to forge successful 2FA verification requests.

Once logged into the account, they can change the secondary email to @yopmail.com account and perform password resets.

Xfinity’s primary email will also receive a notification that their information has changed, but since the password has also changed, they will not be able to access it.

Once they gain full access to an Xfinity email account, threat actors attempt to breach other online services used by the customer, checking for password reset requests on the account of messaging now compromised.

BleepingComputer has been told by some customers that hackers have attempted to reset passwords on DropBox, Evernote, and cryptocurrency exchanges Coinbase and Gemini.

Although BleepingComputer has not been able to independently verify the legitimacy of this OTP bypass and whether it has been used in reported hacks, it would explain how threat actors can gain access to accounts with 2FA enabled.

BleepingComputer has reached out to Comcast’s press contacts several times this week, but has yet to receive a response to our emails.

However, an Xfinity customer posted on Reddit that the company is aware of the account breaches and is investigating the source of the hacks.

“I spoke to a second person from the xfinity security service who told me not to worry about the scam yopmail account on my xfinity account and advised that this has happened with many (maybe all ) xfinity accounts,” one user posted on Reddit about the hacks.

“She indicated that xfinity is still working to find the source of the hack. Apparently this is a much more widespread issue than reported. It does not appear that xfinity email is secure at this time.”