A number of accounts on Comcast Xfinity may have been compromised because someone figured out how to log in without using their physical token.

Once the bypass is complete, the attackers may attempt to exploit the compromised accounts to get access to bitcoin exchanges and cloud storage services.

On December 19th, Xfinity email users began receiving notifications of account modifications, although their passwords had already been changed. For those who were able to regain access, they discovered a new email address associated with the account that was hosted on the temporary domain yopmail.com.

Circumventing two-factor authentication

Some email services utilise a secondary email address as a safety precaution, and you may be asked to supply it if you want to change your password or get account alerts.

The majority of victims who spoke out about the incident on social media and Xfinity support forums indicated they used two-factor authentication. Whoever was responsible for the attack used credential stuffing to try to guess the password and subsequently got through the two-factor authentication protections. The attackers were able to create valid 2FA verification codes thanks to a “privately disseminated OTP (one-time password) bypass,” according to a report by BleepingComputer.

After doing so, they were able to reset the password by adding an additional, throwaway email address.

After taking full control of the compromised email accounts, the threat actors went on to penetrate further online services in order to request password resets using the victims’ stolen identities. The threat actors attempted to break into a variety of sites, including Dropbox, Evernote, Coinbase, and Gemini.

As of yet, Xfinity has stated nothing publicly about the situation, but a customer has claimed on Reddit that the company is aware of the occurrence and is conducting an investigation. A customer service representative quoted by the same source claimed the problem seemed to be widespread.