Comcast left customers of its Xfinity Mobile telephony service vulnerable to hacking and theft by setting the default PIN of their accounts to "0000", allowing malicious third parties to steal customer identities . The vulnerability has been reported by a user who has written for The Washington Post to describe "a tech horror story", which Comcast then confirmed.
The hacked user, from California, said the post office his phone number was hijacked and transferred to a new account, with his credit card still attached to the new phone. The hacker then used the card to buy a new Apple computer in Georgia. If the PIN seems familiar to you, it may be because Kanye West has set the password for his iPhone X to be 000000 – which is not very appealing to a standard technical user or a hip-hop mogul, but even worse for the IT department of a huge telecommunications company serving tens of millions of people.
The user is just one of the many Xfinity Mobile customers who reported stealing their numbers because Comcast did not protect their mobile accounts with a single PIN or even a password. For those unfamiliar with Xfinity Mobile, it's a service that leverages Verizon's network, but complements it with Wi-Fi hotspots across the country. As a result, it generally offers lower cost data plans, although the company has recently imposed restrictions on the use of mobile data in an attempt to limit the viewing of high bandwidth videos.
On the Xfinity forums, a user who said that his number had been transferred indicated that Comcast had asked him to file a police report, but that the company had not helped him recover the number from his account. , probably because the number was already with another carrier. Comcast had no control over. Another user pointed out that two-factor authentication would not help in this case, as it would not prevent a hacker from transferring the number.
"We are aware of the very small number of customers affected by this problem, but even a customer affected by this problem is a customer too," said a Comcast spokesperson. the edge. The company added that it has increased security by transferring phone numbers to new accounts and "is aggressively working to find a PIN solution." It is also aimed at the customers concerned to help them solve the problem on a case by case basis. According to Comcast, such situations are usually only possible because hackers use personally identifiable information, such as a password-protected Xfinity Mobile account number, which may be revealed as a result of other unrelated data breaches.
Still, Comcast does not really explain why 0000 was the default PIN. Users are advised to use strong and unique passwords and to enable multi-factor authentication, but both are useful only if the company gives them the ability to set unique and strong PINs from the start.
Disclosure: Comcast is an investor in Vox Media, The edgeMother Society.