Cyber Incident Victim: Comcast
Date:
Dec 2022
Location:
United States of America
Summary
Comcast Xfinity accounts were compromised through widespread credential stuffing attacks that bypassed two-factor authentication using a privately circulated OTP exploit, enabling threat actors to forge verification requests. After gaining access, attackers added secondary @yopmail.com email addresses, altered account credentials, and locked users out, subsequently leveraging the breached email accounts to initiate password resets for external services including cryptocurrency exchanges (Coinbase, Gemini) and cloud platforms (Dropbox, Evernote). The company acknowledged investigating the breaches amid customer reports of unauthorized access and downstream account targeting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In December 2022, Comcast Xfinity customers experienced widespread account compromises beginning December 19, with numerous users receiving notifications that their account information had been altered without authorization. Affected customers discovered they could no longer access their accounts due to password changes implemented by threat actors. Upon regaining access, victims consistently identified unauthorized modifications to their account profiles, specifically the addition of secondary email addresses from the disposable @yopmail.com domain. This feature, designed to facilitate account recovery and notifications, was exploited to maintain persistent access. All compromised accounts had two-factor authentication (2FA) enabled, yet attackers successfully circumvented this security measure. Customers reported identical attack patterns across multiple platforms including Reddit, Twitter, and Xfinity's support forums, with one user explicitly stating threat actors "bypassed 2FA" while changing account details to [email protected]. The attacks enabled further credential reset attempts against third-party services linked to the compromised Xfinity email accounts, with cryptocurrency exchanges Coinbase and Gemini specifically identified as targets alongside Dropbox and Evernote.
Security researchers attributed the breaches to credential stuffing attacks against Xfinity accounts, followed by exploitation of a privately circulated one-time password (OTP) bypass technique that forged successful 2FA verification requests. After gaining entry, attackers systematically modified account recovery options and passwords, triggering notifications to the legitimate email addresses that owners could no longer access due to concurrent credential changes. This operational sequence allowed threat actors to control communication channels for password reset requests across multiple platforms tied to the compromised emails. BleepingComputer documented the attack methodology after direct communication with affected customers and threat researchers, though Comcast did not respond to multiple press inquiries during the initial investigation period. Indirect evidence from customer forum posts indicated Comcast was aware of the breaches and investigating their origin, but no official statements or remediation details were confirmed through primary channels during the reporting period covered in the source material. The incident demonstrated coordinated exploitation of authentication workflow vulnerabilities to enable lateral attacks against secondary services dependent on email-based account recovery.