Xfinity Data breach detected through email alias service
The email appears to have been sent from Teamnort@saless.cc. Interestingly enough when trying a WHOIS on saless.cc it appears the domain is not registered. However, according to this article the TLDs have been hijacked before:
https://labs.detectify.com/2021/01/15/how-i-hijacked-the-top-level-domain-of-a-sovereign-state/
I immediately tried calling Xfinity to explain the issue to their security team, but their entry-level employees couldn't understand the issue. I did some searches and appears that other Xfinity customers have experienced similar phishing emails. In this instance, the only way someone could have gotten that email is if an Xfinity employee is leaking emails or there has been a data breach with customer emails. This email was updated in April of 2021, so the breach would have had to occur after that time. The email is unique enough that it wouldn't have been randomly sent, and note this is the first phishing email I've ever received from someone to my 400+ aliases that I'm using currently.
2 comments
[ 5.2 ms ] story [ 16.4 ms ] threadWhat?! That’s even more interesting than your main problem.
However considering your main problem I see 2 possibilities:
1. SimpleMail service was compromised
2. A local Xfinity store was compromised. I used to work at a telecommunications provider brick n mortar store and there was a common scam going around where sophisticated threat actors would call the store phone and convince the (low wage, low competence) employees that they’re calling from the “corporate office” and provide instructions to install a RAT, thus compromising the computer systems at the store. (There was no admin password on the computers, this was a franchise for one of the most popular US cellular companies in 2021, im positive this scam is still happening every day)
http://links.notification.intuit.com/ls/click?upn=LEV65WI9EZ...