Security Bulletin

Xfinity Data Breach: How It Happened (and Are You Affected?)

March 22, 2023

Xfinity Data Breach

Cable customers weren’t thrilled when they realized that Comcast would implement yet another price hike. However, things only got worse when it was announced that Xfinity became the victim of a holiday data breach in early December 2022. The Comcast data breach represents the latest evidence that hackers continue evolving their attack methods, even as companies rush to implement more robust security measures.

How Did the Xfinity Data Breach Happen?

The problem came to light when Xfinity customers began receiving email notifications confirming changes to their account information. When those same users tried to log into their Comcast account, they discovered the passwords had been changed without their permission.

When those users did regain access, they discovered they had become the victim of a hack. There was also a secondary disposable email address added to their profile. Xfinity lets customers add an email address if they lose access to their main Xfinity account and need to reset the password.

What’s most concerning is that Xfinity accounts use two-factor authentication (2FA) for additional security. Unfortunately, hackers managed to bypass the safeguard by using credential stuffing. They also leveraged a one-time password (OTP) bypass to hijack 2FA verification requests.

The Fallout From the 2022 Xfinity Data Breach

Once the bad actors obtained control of the compromised email account, they used the information to breach other online services. Comcast users discovered that hackers had also gotten into other accounts they had on other platforms like Evernote and Dropbox.

So, it’s not just about cyber thieves taking over a user’s Xfinity account. The information captured about Xfinity customers was used to access other services. Xfinity is still trying to quantify the widespread fallout from the data breach.

For Comcast, it’s yet another failure in its security posture. They went through a similar issue in 2021, where customers discovered they were hacked after being greeted by a cryptic message when they logged into their account.

What Does This Mean for 2FA?

The use of 2FA for authentication has become widespread across many industries. It represented a big step forward in device security. While 2FA made the login process a little more complex, the tradeoff of no longer relying solely on passwords for access was a worthwhile payoff.

Unfortunately, 2FA alone isn’t enough to solve the problem of hacking and data theft. In addition to the methods used in the Xfinity data breach in 2022, bad actors now have tools that let them steal cookies, which allows them to access any web browser, service, or email account.

They get hold of the cookies using botnets designed to steal cookies from browsers. You can also purchase stolen cookies that contain malware in underground internet sales markets. Below are some other concerns noted about the issues with using 2FA.

Security is Part of an Application

Two-factor authentication is more effective when you rely on a separate service to authenticate your identity. Applications like Google Auth apply 2FA to monitor and control 2FA for sites you visit.  Verification gets done independently of the service being used. However, most people prefer to use only one application to perform 2FA, resulting in low adoption rates.

Info Used for Multiple Sites

While it’s not recommended, many people still use the same ID or password across multiple accounts. That was demonstrated during the Xfinity data breach, where bad actors used the credentials they stole to access other accounts held by users. If a cyber thief manages to get hold of your mobile phone number, they can use it to copy your phone and track any texts you receive.

Too Easy to Reset Passwords

With enough information, hackers can get in touch with the customer service department of an application and find a way to get a new password. Doing so lets them get around any 2FA protections and provides them direct access to your account.

Should I Abandon Two-Factor Authentication Because of the Xfinity Data Breach?

If you do have services that offer 2FA, you should still go into your account and enable it, if it isn’t already. It provides a significant security boost against identity theft versus using only a user ID and a password. Ideally, you should choose an authentication method that doesn’t use text messages. While the evolving tactics hackers use to get past 2FA are a big concern, that doesn’t mean it’s still not worth having.

If you end up using SMS authentication for 2FA, it’s still a safer option than relying solely on passwords. One of the best things an organization can do to boost cybersecurity protections is to add a third requirement. Biometrics, like fingerprints, are unique to individuals and much more challenging to hack.

Why Going Passwordless May Be the Answer

If you want to help your organization avoid the pitfalls of password-based security measures, consider removing them entirely. Not forcing customers to provide a password upon login improves their experience with your company.  There’s no longer a need to maintain complex password requirements. That relieves the burden on users to remember long passwords.

Getting rid of passwords also lowers the risk of your company having to deal with common password-based attacks like keylogging, rainbow attacks, and credential stuffing, the latter of which led to Comcast’s latest data breach. It’s always a good thing when you can reduce the attack surface for cybercriminals.

Going passwordless allows your organization to shed the expenses of password maintenance. Your help desk will no longer get bogged down in constant requests to reset user passwords. Users can use their phone, email, or biometrics to authenticate who they are, making the login process more seamless.

Take a More Holistic Approach to Authentication

Axiad helps organizations map out and implement more robust, user-friendly data access and solutions. Contact us here to find out how we can help you boost your company’s security posture.

About the author
Axiad Team
Axiad Demo

See How Axiad Works

See a comprehensive demo of Axiad and envision how it will revolutionize authentication for you!