Xfinity Mobile Numbers Hijacked: What to Do Now

UPDATED 3:30 pm EST March 1 with statement and information from Comcast.

If you use Comcast's Xfinity Mobile cellular service, you'd better implement two-factor authentication (2FA) on your Comcast account ASAP — and then bug Comcast support reps about putting a PIN on your mobile account.

Credit: Comcast

(Image credit: Comcast)

Crooks are stealing Xfinity Mobile numbers by requesting that the numbers be "ported" to new phones. On many other carriers, the customer support rep asks for a mobile-account PIN along with the account number and owner's name before the request can be processed. But Comcast doesn't require PINs for Xfinity Mobile accounts, resulting in a PIN of "0000" (blank to a computer) for many or all Xfinity Mobile accounts.

Stolen phone numbers used to be an inconvenience. Today they're a threat, because calls and texts to your number are used to verify your identity in case you forget your password or use 2FA for other accounts.

A poster in the Xfinity Mobile forums related how a stolen number was used to take over his PayPal account. An Xfinity Mobile customer who contacted the Washington Post said someone stole his number, ported his Samsung Pay account to a new phone, then used Samsung Pay tied to his credit card to buy a computer at an Apple store.

MORE: How to Stop Your Mobile Number from Being Hijacked

We don't have an Xfinity Mobile account, so we can't verify if you would need to provide your Comcast account username and password along with your name and account number to request a number port from the wireless phone service provider. We do know that Comcast offers a 2FA option for Comcast accounts, and we urge that you use it.

It's also not clear whether Xfinity Mobile offers account PINs as an option at all, or simply forbids them. Comcast representatives told The Washington Post and Engadget that the company was "working aggressively toward a PIN-based solution."

Tom's Guide has reached out to Comcast about this issue, and we will update this story when we get a response.

UPDATE: A Comcast representative clarified to us that an Xfinity Mobile customer would need to provide his or her Comcast account username and password, as well as a few other pieces of information, in order to request a number port. The representative said that at the moment, there is no PIN requirement for making a port-out request.

The representative suggested that some Xfinity Mobile customers may have had their Comcast account usernames and passwords compromised if those customers had used those same credentials for other accounts that were subsequently exposed in data breaches.

In other words, if you were to sign up as "johnsmith@yahoo.com" with password "wordpass123" for an online account with Acme Corporation, and then were to use the same username and password for your Comcast account, a data breach at Acme would compromise both your Acme and Comcast accounts. Someone who got a list of compromised Acme usernames and passwords could try "credential-stuffing" attacks against other websites to see where else those credentials could log them in.

The representative provided an official Comcast company statement:

"The fraudulent porting of mobile numbers is a well-known industry issue and not unique to Xfinity Mobile. We're aware of a very small number of customers impacted by this issue, but even having one customer impacted by this is one too many.

MORE: Stay private on the go with the best mobile VPN apps

We believe this has only affected customers whose passwords might have been included in previous, non-Comcast related breaches. We recommend that customers use unique, strong passwords. In addition, customers can further protect their Xfinity account by signing up for multi-factor authentication.

We have also implemented a solution that provides additional safeguards around our porting process, and we're working aggressively towards a PIN-based solution. We are reaching out to impacted customers to apologize and work with them to address the issue. We take this very seriously, and our fraud detection and prevention methods, policies and procedures are continually being reviewed, tested and refined."

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Latest in Network Carriers
Super Bowl LIX signage in New Orleans
Super Bowl 2025 — here's what the big carriers are doing to amp up their networks for the Big Game
Phones floating in the clouds showing the Helium mobile app
Helium Mobile unveils a free monthly wireless plan — here's what you need to know
Visible phone service on a smartphone with a deal tag
The best unlimited data plan just dropped 33% — but you've got to act now
Mint Mobile unlimited data deal with badge
Hurry! You've got until January 24 to cut your unlimited data bill in half at Mint Mobile
a Mint Mobile sim card envelope with a deal badge
Not a typo — Mint Mobile cuts the price of unlimited data in half for a full year
A smartphone with Visible being set up on it and a deal badge
Cellular bills are out of control — and this unlimited deal for $30 a month puts the big carriers to shame
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Wednesday, March 19 (#647)
Chromecast with Google TV connected to display
Google finally pushes out full Chromecast fix for users who factory reset — here’s what to do
A picture of a skull and bones on a smartphone depicting malware
Hundreds of malicious Android apps with 60 million downloads found spamming Android users with ads and stealing credentials
Switch 2 console and logo
Nintendo Switch 2 rumor just tipped possible release date — and it's much sooner than we thought
Hacker typing on laptop in darkened room
Hackers create "BRUTED" tool to attack VPNs – how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs