Comcast’s Xfinity Mobile phone service uses ‘0000’ PIN, fraudster hijacks phone number and buys a new Mac

“‘This is a security hole large enough to drive a truck through,’ reader Larry Whitted in Lodi, Calif., wrote last week,” Geoffrey A. Fowler reports for The Washington Post. “As a customer of Comcast’s Xfinity Mobile phone service, Whitted says someone was able to hijack his phone number, port it to a new account on another network and commit identity fraud. The fraudster loaded Samsung Pay onto the new phone with Whitted’s credit card — and went to the Apple Store in Atlanta and bought a computer, he said.”

MacDailyNews Take: Using Samsung Pay to buy a Mac in an Apple Store should have been enough of a red flag!

“The core of the problem: Comcast doesn’t protect its mobile accounts with a unique PIN,” Fowler reports. “The default it uses instead is… 0000.”

“Closely guarding your telephone account is becoming increasingly important for security. All kinds of online and financial services use text messages and calls to a phone number to verify identity, or as a second factor in addition to passwords. Other Xfinity Mobile customers have also reported having their numbers hijacked. After I contacted Comcast, it said it was making a fix,” Fowler reports. “New measures that make it harder to steal phone numbers took effect shortly before I published this column. Comcast said it is also ‘working aggressively towards a PIN-based solution.'”

Read more in the full article here.

MacDailyNews Take: Comcast’s Xfinity Mobile phone service was using 0000 as the default PIN? Jeez Louise!


  1. Wow. This is how people’s really well protected accounts are getting hacked. Call the cell company, say you are activating a new phone you bought used. Give excuses why you don’t have the pin and many customer service agents give in. Activate phone.

    Once working, then proceed to change passwords on other accounts that use 2 factor authentication and receive the texts to confirm your identity. Not cool.

  2. I am glad I didn’t hear this last week I had a message to my iPhone from an online betting site seeking account activation. Had 3 days of concern checking all my accounts and contacting said company who wanted all manner of information which I refused to give, thankfully to find it was as I thought most likely there was no hacked access to my phone account just an idiot keying in the wrong number. easy to get paranoid mind and If I had read this beforehand I would have double panicked, confirming the possibility I most feared, at least if my own mobile provider is as stupid as Comcast anyway.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.