xfinity/target promotion

Data breach?  Likely so. And they are handling it incredibly poorly.

No public response from Xfinity, but here's a few articles someone linked.

https://forums.xfinity.com/conversations/email/my-account-was-compromised-with-2fa-on-how-is-this-possible/63a2dc38ebc755162835f70a?commentId=63a997af86efae732c84b5c9

One thing you are going to want to do immediately, is log into webmail, click the little gear icon in the top right to get to "email settings", then on the left tab, make sure BOTH auto forward and auto reply are not enabled, and that no unknown email address is listed at either one.

The other thing you are going to want to do is unlink your Xfinity email address from any other website/banking/other service that has your Xfinity email address listed as a password recovery address.  If you use the same password across multiple sites (they all should be different), change that immediately on all of them, and don't use the same password that you use for Xfinity. 

Logs on a server I run show at least the username/email address and a hashed password have leaked, but if they got those, they have billing info too.  Hashed passwords and credit card information will have to be decrypted, and isn't worth the processing time/effort, but for phone scams and stealing credentials on other sites, this information is useful.  Password information is also useless once you change them.  Credit card charges can be disputed and reported as fraud with a simple phone call, so no problem there either. 

Do not respond to a phone solicitation of any kind.  Even from a known company you use.  Instead.  Don't say anything. Hang up.  Look up the company's phone number and initiate the contact yourself from now on.  It's the only way you know who you are talking to.

Concern moved here to the Customer Service help section for greater exposure to Comcast corporate employees (The Digital Care Team) for assistance.

Hello and thanks for taking the time to reach out to us on Forums! We appreciate you being a customer with us, and it's unsettling to hear about this spam occurrence you experienced. We absolutely understand your concerns and offer our apologies for any inconvenience or frustration caused by this. Spoofing and spam calls continue to be at an all-time high, which is why we've made several tools available to Xfinity customers with voice services who may be affected; Common Phone Scams and How to Protect Yourself

We also have an alerts page available with current reports and areas for customers to report additional instances to us; Alerts

Please know if there were any unauthorized charges on your credit card or unauthorized withdrawals from your banking account, dispute those charges or withdrawals with your card issuer or bank as soon as possible. Also know that phone numbers found on official Comcast websites, such as 1-800-Comcast and 1-800-Xfinity, are the only legitimate numbers for customers to call. 

My team would be more than happy to double-check your account on our end. Please send us a private Direct Message to best assist you. 

Here are the detailed steps to direct message us: 
 • Click "Sign In" if necessary
 • Click the "Direct Message icon” (upper right corner of this page)
 • Click the "New message" (pencil and paper) icon
 • Type "Xfinity Support" in the to line and select "Xfinity Support" from the drop-down list
 • Type your message in the text area near the bottom of the window
 • Press Enter to send your message

How was the scammer able to mirror our Xfinity account and get my phone number to send me a text with? Do you not have better web site security, especially given that this scam has apparently been going on for some time?