Comcast has a giant security debacle on its hands, one that allows hackers to easily hijack a random customer’s phone number.
Xfinity Mobile, a wireless service launched by Comcast in 2017, allows customers to port their current numbers from other carriers. To make things even easier, no PINs are necessary—except for one: “0000,” which is the default PIN for every account.
Customers began reporting that their telephone numbers have been ported without their permission, and that hackers were switching these numbers to their own accounts in order to steal identities.
For a hacker to port a phone number, they need two things: the account number and the PIN. Since every Xfinity customer has the same PIN — 0000 — any time a hacker could obtain an account number, they were able to port the number. And, given customers were unable to change their PINs, there was really nothing they could do about it.
How did customers get caught up in this?
It’s especially easy for a hacker to steal an account number if you use the same password/email combination for every account you own. Once a hacker knows your password for one site—either via a phishing scam or by scouring the dark web—they can try that combo on Comcast. If they get access, the can grab your account number and use the default PIN to hijack your phone number.
Comcast is defending itself, of course, saying that this could happen to any mobile carrier and that they don’t feature the account number in an email or on paper bills. So, a hacker would need direct access to the customer’s web account. But Xfinity is the only carrier that has default PIN numbers that are unable to be changed.
Comcast now says it has fixed the issue, but it has not released details as to how. It says it will eventually begin implementing unique PINs for its Xfinity service, but no timeline has been given.
“We believe this has only affected customers whose passwords might have been included in previous, non-Comcast related breaches. We recommend that customers use unique, strong passwords. In addition, customers can further protect their Xfinity account by signing up for multi-factor authentication,” Comcast told Ars Technica.
Here’s what the Washington Post wrote about a customer who was affected:
“This is a security hole large enough to drive a truck through,” reader Larry Whitted in Lodi, Calif., wrote last week.
As a customer of Comcast’s Xfinity Mobile phone service, Whitted says someone was able to hijack his phone number, port it to a new account on another network and commit identity fraud. The fraudster loaded Samsung Pay onto the new phone with Whitted’s credit card—and went to the Apple Store in Atlanta and bought a computer, he said.
As with every account you have, be sure to use strong, unique passwords. A password manager is a good option for most. You will want to consider taking advantage of two-factor authentication when available. This way, even if someone can access your password, they still can’t log in unless they also have access to your mobile phone or other specified account.