Breach of Comcast’s Xfinity exposes nearly 36 million people


Xfinity, Comcast‘s cable television and internet division, has had its systems breached via a Citrix bug, with attackers accessing tens of millions of usernames and hashed passwords. Virtually all of Xfinity’s customers were affected.

The US telecoms behemoth was penetrated in mid-October, with attackers likely roaming the company‘s Citrix server for three days, per Xfinity‘s breach notification letter.

According to details that Xfinity submitted to the Maine Attorney General’s office, the total number of impacted people stands at a whopping 35.9 million, putting the breach among the largest in 2023.

ADVERTISEMENT

Comcast’s most recent quarterly earnings report shows that the company has over 32 million broadband customers. Additionally, the company also has over five million mobile customers, which points to the breach covering nearly all of its user base.

While Citrix released the first batch of updates to mitigate the address of the software bug known as “Citrix Bleed” on October 10th, Xfinity’s letter implies the company only patched it on October 23rd.

“However, we subsequently discovered that prior to mitigation, between October 16th and October 19th, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability,” reads Xfinity’s letter.

The company said that attackers accessed Xfinity customers’ usernames and hashed passwords. Some customers have additional details exposed, such as:

  • Names
  • Contact information
  • The last four digits of Social Security numbers
  • Dates of birth
  • Secret questions and answers

Xfinity said that to protect users, it will ask users to reset their passwords the next time they log in to their accounts. The company also advised users to use two-factor or multi-factor authentication.

“While we advise customers not to re-use passwords across multiple accounts, if you do use the same information elsewhere, we recommend that you change the information on those other accounts, as well,” Xfinity said.

Xfinity, whose legal name is Comcast Cable Communications, was created in 2010 to set up a separate brand from Comcast. In 2022, the company reported a revenue exceeding $66 billion.

ADVERTISEMENT

The exploit for the Citrix bug was likely developed over the summer, with the first exploits occurring between July 20th and 21st.

Citrix released a critical fix for the bug in October. Still, by then, criminals had already infiltrated hundreds of companies by installing backdoors in systems that remained operable even after patching.

The flaw was first abused by the LockBit ransom gang in a spate of attacks carried out this November on major names such as Boeing, ICBC Bank, Allen & Overy, and DP World Australia.