In the latest episode of consumers affected by tech companies’ security flaws, Comcast’s Xfinity Mobile wireless service was found to be setting customer PINs by default to 0000. As reported by The Washington Post (via The Verge) one of the users who had their phone number stolen because of Xfinity’s weak PIN default even saw a hacker purchase an Apple computer with his credit card.
In this instance, somehow the hacker was able to use the credit attached to the victim’s Xfinity Mobile account, which remained on file after the phone number was stolen. Comcast confirmed this story to The Washington Post.
The hacked user, from California, told the Post he had his phone number hijacked and transferred to a new account, with his credit card still attached to the new phone. The hacker then used the card to buy a new Apple computer in Georgia.
The Verge notes that once a number has been transferred to another carrier, Xfinity Mobile likely has no power to help victims.
On Xfinity forums, one user who said his number was ported noted that Comcast told him to file a police report, but the company then didn’t help him get the number back to his account, possibly because the number was already with another carrier that Comcast had no control over. Another user pointed out that two-factor authentication wouldn’t help in this case, as it wouldn’t prevent a hacker from porting out the number.
It’s unclear how many users have had their phone numbers stolen because of this oversight, but Comcast says it’s “very small.”
“We’re aware of a very small number of customers impacted by this issue, but even having one customer impacted by this is one too many,” a Comcast spokesperson tells the Verge. The company said it had added more security around porting phone numbers to new accounts and is also “working aggressively towards a PIN-based solution.” It’s also reaching out to affected customers to help fix the issue on a case-by-case basis.
However, a still lingering question is why Xfinity Mobile was using 0000 as the default PINs for customers in the first place.
Late last year, Kanye West accidentally exposed that he used a similar password, 000000, for his iPhone.