Comcast is notifying Xfinity customers of a “data security incident” that allegedly resulted in the theft of customer information, including usernames, passwords, contact information, partial Social Security numbers and more. In a statement Monday, Xfinity said there was “unauthorized access” to its systems from Oct. 16 to Oct. 19, 2023.
BleepingComputer linked to this breach notification published in the state of Maine, which shows the total number of people affected by the breach is 35,879,455, including over 50,000 people in Maine.
Xfinity attributes the breach to a security flaw disclosed by cloud computing company Citrix, which began alerting customers on Oct. 10 to a flaw in software used by Xfinity and other companies. While Xfinity now says it has fixed the vulnerability, it later discovered suspicious activity on its internal systems “that was believed to be due to this vulnerability.”
BleepingComputer’s report also notes that almost two weeks earlier, on October 10, Citrix released a notification of the vulnerability (now known as “Citrix Bleed”), encouraging customers to apply patches as quickly as possible install even though no active exploitation of the vulnerability was detected. However, on October 18, Mandiant security researchers reported that the company was being “actively” exploited, and on October 23, a blog post from Citrix said it was aware of targeted attacks.
According to Xfinity’s statement, the hack resulted in the theft of customer usernames and hashed passwords. In the meantime, names, contact information, the last four digits of their social security numbers, dates of birth, and/or secret questions and answers of “some customers” may have been disclosed. Xfinity has notified federal law enforcement of the incident and says “data analysis is continuing.”
Xfinity will automatically prompt customers to change their passwords the next time they log in to their accounts and will also prompt users to enable two-factor authentication.
“We are not aware of any customer data leaked anywhere, nor are we aware of any attacks on our customers,” Xfinity spokesman Joel Shadle said in an emailed statement to The Verge. “We take the responsibility to protect our customers very seriously and have our cybersecurity team monitored 24/7.”
The full notice, including contact information for the company’s incident response team, can be found on Xfinity’s website.
Update December 18, 6:37 p.m. ET: Added a statement from Xfinity.
Update as of December 19, 9:26 a.m. ET: Added the number of people affected by the breach and additional details about the Citrix Bleed vulnerability.
Disclosure: Comcast is an investor in Vox Media, the parent company of The Verge.