Comcast has acknowledged a security breach resulting in the exposure of sensitive information belonging to almost 36 million Xfinity customers. The breach exploited a critical-rated vulnerability known as “CitrixBleed,” predominantly affecting Citrix networking devices used by major corporations.
Despite Citrix releasing patches in early October, the vulnerability remained actively exploited by hackers, impacting organizations such as Boeing, the Industrial and Commercial Bank of China, and international law firm Allen & Overy.
In a notice to customers on Monday, Comcast’s cable television and internet division, Xfinity, confirmed falling victim to the CitrixBleed exploit. The breach occurred between October 16 and October 19, with malicious activity remaining undetected until October 25.
By November 16, Xfinity determined that hackers likely acquired information, including usernames and hashed passwords, the encryption method of which is yet to be disclosed. The hashed passwords are typically stored in a way that renders them unreadable to humans, but the specific algorithm used remains unclear.
Customer data compromised in the breach includes, for an unspecified number of users, names, contact information, dates of birth, the last four digits of Social Security numbers, and secret questions and answers. Comcast is continuing data analysis, indicating the possibility of additional types of accessed data.
While the notice does not specify the number of impacted Xfinity customers, a filing with Maine’s attorney general confirms that nearly 35.8 million customers are affected. Considering Comcast’s latest earnings report, which indicates over 32 million broadband customers, it is apparent that the breach likely affected a significant portion, if not all, Xfinity customers.
Comcast has not disclosed whether a ransom demand was received, the operational impact of the incident, or whether the breach has been reported to the U.S. Securities and Exchange Commission, as required by regulatory rules. Comcast’s spokesperson, Joel Shadle, refrained from providing additional details.
Despite the breach, Comcast claims not to be aware of any customer data leaks or attacks on customers. To mitigate risks, Xfinity is mandating password resets for affected customers and recommending the implementation of two-factor or multi-factor authentication, though it is not enforced by default for all customer accounts. Ongoing data analysis will inform customers of any additional information as the situation develops.