surzhykKorektor's profile

New Poster


2 Messages

Wed, Dec 2, 2020 3:00 PM

Email compromised, hacker still has access despite changing pw and enabling 2FA

On Sunday, I discovered that someone had password-guessed their way into my dad's Comcast email (my email is on the same subscriber id), added themselves as Primary User and locked both him and me out of our accounts. After two hours on the phone with customer service, I managed to get back in, changed all the passwords, enabled Xfinity Authenticator, etc.


Today, I found out that not only does the hacker still have access to my email, but that changing the password does /not/ automatically deauthenticate existing sessions (webmail or desktop client), nor does enabling 2FA, and there is no button anywhere in account settings to forcibly log out all sessions. Meanwhile, the hacker has been taunting me on Reddit saying I have "bad opsec" (not entirely untrue...) and how he's going to continue doing it until I "willingly" hand over my Roblox items (all this over a game I haven't touched in years?!). The proof I have that they still have access to my Comcast email, is that they've successfully, repeatedly, changed my Roblox account credentials and associated email due to the fact that the "account creation email" (my Comcast email) is permanently registered.


I don't care about the Roblox thing (honestly I might just delete the account out of spite), but what I need to know is this: How do they still have access to my Comcast email accounts, in spite of changing the password and adding the Xfinity Authenticator, which /should/ have automatically invalidated all existing session cookies? And more importantly, how do I keep them from regaining access to mine AND my father's Comcast accounts to do worse damage? I've already reassigned the Primary User of our Xfinity Service to a brand new Gmail (along with registering it in Authenticator), and de-Managered dad's account, so they can't lock us out again...

(Minor side tangent-rant: 16 character limit on passwords, Xfinity? Seriously? Even if my dad wasn't bad at making passwords...)


New Poster


2 Messages

6 m ago

Um... this is a bit embarassing... I figured out how they "still had access". They changed my auto-forward settings to send my Comcast emails to an address they control... whoops. Additionally, they informed me how they gained access in the first place: social-engineering and spoofing of our (non-changeable, non-replaceable) landline phone number to get a Comcast rep to send a temporary password for my dad's account to them.


My other questions still stand, though:

* Why does changing the password/adding 2FA *not* automatically deauthenticate existing sessions?

* Why is there no "sign out everywhere else" button like many other email services have?

* ...And seriously, why the 16-character limit on passwords when changing them???

New to the Community?

Start Here