Comcast’s Xfinity Customers Impacted by Data Breach
Comcast has notified its Xfinity customers of a “data security incident” that resulted in the theft of customer information including usernames, passwords, contact information, partial social security numbers, and more. The notice, published on Monday, stated that there was unauthorized access to its systems from October 16th to October 19th, 2023.
According to a breach notice published in the state of Maine, a total of 35,879,455 people were affected, with over 50,000 residing in Maine. Xfinity traces the breach to a security vulnerability disclosed by cloud computing company Citrix, which began alerting customers about a flaw in software used by Xfinity and other companies on October 10th. Although Xfinity claims to have patched the security hole, it later uncovered suspicious activity on its internal systems that was attributed to the vulnerability.
Citrix had released a notification of the vulnerability, now known as “Citrix Bleed,” on October 10th, advising customers to patch as soon as possible. By October 18th, security researchers reported that the flaw was under “active” exploitation, and on October 23rd, a Citrix blog post acknowledged targeted attacks were taking place.
The data breach resulted in the theft of customer usernames and hashed passwords. Furthermore, “some customers” may have had their names, contact information, the last four digits of their social security numbers, dates of birth, and/or secret questions and answers exposed. Xfinity has notified federal law enforcement about the incident and stated that “data analysis is continuing.”
In response to the breach, Xfinity will automatically prompt customers to change their passwords the next time they log in to their accounts. It is also encouraging users to enable two-factor authentication.
Xfinity spokesperson Joel Shadle emphasized in an emailed statement to The Verge that they are not aware of any customer data being leaked or any attacks on their customers, and that their cybersecurity team is monitoring 24×7. The full notice, including contact information for the company’s incident response team, can be found on Xfinity’s website.
Updates to the article on December 18th and December 19th included a statement from Xfinity and the number of people affected by the breach, as well as additional details on the “Citrix Bleed” vulnerability.
It’s important to note that Comcast is an investor in Vox Media, The Verge’s parent company.
The breach has raised concerns about the protection of customer data and the potential impact on affected individuals. Customers are urged to follow Xfinity’s guidance on password changes and enable two-factor authentication to enhance their account security.