Threat Intelligence: 2FA Bypass Attack - D1 Defend D1 Defend

A number of Comcast customers logged into their Xfinity email accounts only to discover that they had been hacked. The source of these widespread attacks seems to be an exploit that allows an attacker to bypass Xfinity two-factor authentication (2FA) for Xfinity accounts.

A quick look into the hacker underground reveals that there is a privately circulated tool that bypasses the one-time-passcode (OTP) used in 2FA. First, the attackers compromise an Xfinity email account by using stolen passwords that have been leaked on the Dark Web. From there, they login with the stolen passwords and use a private 2FA bypass tool to get around phone verification.

After that, the password is reset, and any backup or secondary emails are changed to one the attacker controls. Once the threat actors have access to the Xfinity email, they use this email to attempt a password reset on other services with the ‘Forgot my Password’ feature.

They have been observed using this method to compromise DropBox, EverNote and even cryptocurrency exchange accounts such as Coinbase and Gemini.

There are a few important things to note in these attacks:

• 2FA was not enough. The hackers bypassed it.

• Those who regained access to their accounts did so because they noticed a change in 2FA from monitoring their email accounts.
• The accounts were originally compromised via “credential stuffing” which uses leaked passwords found on the Dark Web

These are all common pain points that Galactic Scan monitors for. This is why we add findings to our reports related to leaked passwords, as well as providing educational training videos on the weaknesses in MFA and how to use alerting to stay prepared against being compromised.

Comcast has not released an official statement as of this communication, and it is unknown how many accounts were compromised. If you have a Comcast email account, we recommend that you immediately update your password and check the recovery email and 2FA information you have on file. Reach out to Comcast Xfinity support if necessary.

It is also a good idea to review your other accounts and services in case they are compromised.

If you have any questions or concerns, contact us!