Comcast Xfinity knowledge breach impacts over 35 million folks

Comcast is notifying Xfinity clients of a “knowledge safety incident” it says resulted within the theft of buyer data, together with usernames, passwords, contact data, partial social safety numbers, and extra. In a discover on Monday, Xfinity mentioned “there was unauthorized entry” to its techniques from October sixteenth to October nineteenth, 2023.

BleepingComputer linked this breach discover printed within the state of Maine, which exhibits the whole variety of folks affected by the breach is 35,879,455, together with over 50,000 folks in Maine.

Xfinity traces the breach to a safety vulnerability disclosed by cloud computing firm Citrix, which started alerting clients a few flaw in software program Xfinity and different corporations use on October tenth. Whereas Xfinity now says it patched the safety gap, it later uncovered suspicious exercise on its inner techniques “that was concluded to be a results of this vulnerability.”

The report from BleepingComputer additionally notes Citrix launched a notification of the vulnerability (now generally known as “Citrix Bleed”) practically two weeks earlier, on October tenth, telling clients to patch as quickly as potential, though it had not famous energetic exploitation of the flaw. Nevertheless, by October 18th, the safety researchers at Mandiant reported it was underneath “energetic” exploitation, and on October twenty third, a Citrix weblog publish mentioned it was conscious of focused assaults.

The hack resulted within the theft of buyer usernames and hashed passwords, in accordance with Xfinity’s discover. In the meantime, “some clients” could have had their names, contact data, the final 4 digits of their social safety numbers, dates of beginning, and / or secret questions and solutions uncovered. Xfinity has notified federal regulation enforcement in regards to the incident and says the “knowledge evaluation is constant.”

Xfinity will mechanically ask clients to vary their passwords the following time they log in to their accounts, and it’s additionally encouraging customers to activate two-factor authentication.

“We’re not conscious of any buyer knowledge being leaked anyplace, nor of any assaults on our clients,” Xfinity spokesperson Joel Shadle says in an emailed assertion to The Verge. “We take the accountability to guard our clients very significantly and have our cybersecurity crew monitoring 24×7.”

You will discover the total discover, together with contact data for the corporate’s incident response crew, on Xfinity’s web site.

Replace December 18th, 6:37PM ET: Added an announcement from Xfinity.

Replace December nineteenth, 9:26AM ET: Added the variety of folks affected by the breach and extra element on the “Citrix Bleed” vulnerability.

Disclosure: Comcast is an investor in Vox Media, The Verge’s father or mother firm.