Comcast Xfinity data breach depose 35 million customers at danger
Comcast Xfinity is notifying customers of a data breach that exposed encrypted passwords and usernames. The hackers also managed to steal your date of birth and the last four digits of your Social Security number. According to documents Comcast submitted to Maine’s attorney general, 35,879,455 customers may have been affected by the breach.
The data breach is still under investigation and some details are unclear. But here’s what we know: Hackers attacked the Xfinity Citrix server between October 16th and 19th.According to Comcast, hackers exploited a vulnerability called “CitrixBleed” (CVE-2023-4966). A fix for this exploit was released on October 10th, but Xfinity didn’t roll it out until October 23rd.
Xfinity cybersecurity employees discovered the vulnerability on October 25 during a “routine cybersecurity exercise.” Federal law enforcement was notified on an unknown date, December 2 of that year. On December 6, Comcast discovered that hackers had obtained encrypted usernames and passwords from customers.
It is unclear why the breach was discovered during an “exercise” rather than a routine security test. The CitrixBleed vulnerability was widely publicized and classified as “critical,” so Comcast should have kept an eye on it.
Separately, customers who visited the Xfinity website or app were required to reset their passwords in late November ahead of the Dec. 6 disclosure. Many of these customers had to reset their passwords through Xfinity customer service, requiring wait times of an hour or more. Meanwhile, rumors of a data breach began circulating on social media.
data breaches can go beyond encrypted usernames and passwords. Comcast suggests that “names, contact information, last four digits of social security number, dates of birth, and/or confidential questions and answers” may be disclosed. If Comcast’s suspicions prove true (as they likely will), some customers could become victims of identity theft.
Current and former Xfinity customers must log in to the Xfinity website and change their countersign. Any website or employment that reuses your old Xfinity password is also dangerous: update your password on all affected websites and stop reusing passwords. You can also freeze or freeze your credit to prevent fraudsters from applying for a card or loan in your name.