Numerous Comcast Xfinity customers report accounts being hacked in a campaign leveraging a 2FA bypass technique.
Xfinity email users began receiving notifications that their account information had changed without consent despite enabling two-factor authentication (2FA). The victims also noticed that a secondary email at the disposable yopmail[.]com domain was added to their profile.
The victims discovered they had been hacked when they could not log into their accounts since hackers had also changed their passwords. Impacted customers also reported hackers attempting to access and reset passwords for other services such as the Coinbase and Gemini crypto exchange wallets, Dropbox, and Evernote.
Hackers reportedly used a secret 2FA bypass tool
Xfinity was investigating the attack and was assisting customers in regaining access to compromised accounts. Many customers who engaged the Xfinity customer support department said the company was helpful in reverting compromised accounts to their legitimate owners.
Meanwhile, a security expert toldBleeping Computer that the attackers probably gained access to the accounts via credential-stuffing attacks before leveraging a privately circulated OTP bypass tool. However, the source who requested to remain anonymous did not explain the nature of the OTP bypass tool.
Comcast has yet to confirm the existence of the secret 2FA bypass tool or the number of accounts compromised.
However, some suggest that the impact of the 2FA bypass attack was more widespread than reported, although the company has not concluded its investigation.
2FA bypass attacks deployed successfully in the past
Hackers have previously deployed 2FA bypass techniques in widespread attacks that bypass two-factor authentication on other online accounts with disastrous outcomes.
In January 2022, the Singapore-based cryptocurrency exchange platform Crypto.com confirmed a 2FA bypass attack that compromised 483 user accounts. Crypto.com also disclosed that the 2FA bypass allowed threat actors to steal $34.65 million worth of cryptocurrency, which the company promised to refund. Subsequently, the company instituted changes such as delayed account access and limiting functionality for 24 hours after password change activity, giving owners time to respond to unauthorized changes.
Threat actors had also used social engineering tactics to bypass two-factor authentication and compromise high-profile accounts in the FIFA 22 account takeover attacks.
In May 2022, a hacker toldMotherboard that they could easily make money from Apple and other high-profile companies, such as Samsung, via 2FA bypass tactics leveraging Telegram Bots.
Evidence 2FA is losing ground
Seemingly, 2FA has been losing ground against threat actors whose toolsets and tactics have evolved to defeat traditional account protection solutions. Some traditional account protection methods, such as passwords and SMS-based OTPs, cannot effectively protect online accounts.
The situation will only deteriorate with time, necessitating stronger account protection solutions that include biometric authentication and MFA-backed Single Sign On (SSO).
“This is yet another example of MFA not being as protective as most people think,” said Roger Grimes, data-driven defense evangelist at KnowBe4. “MFA is a good thing and everyone should use phishing-resistant MFA when they can to protect valuable data and systems.”
According to Grimes, MFA was oversold to customers who perceive it as a super solution that can protect them from all cyber threats.
“As this incident shows, although MFA can provide extra protection in some types of hacking scenarios, it doesn’t protect in all scenarios and can be used to steal or bypass a password.”
“And admins and MFA vendors need to make sure not to oversell MFA’s protection,” Grimes added. “MFA is good and everyone should use it … but it’s simply not as protective as people are being told. And thinking you are specially protected by MFA and mistakenly thinking you are highly resistant to hacking attacks is a dangerous mindset.”