Xfinity Data Breach 2023: 36 Million Customers Affected

A settlement totaling $117.5 million has been established following a 2023 data breach at Comcast-owned Xfinity that compromised the personal information of approximately 36 million customers.

According to filings with the Maine attorney general’s office, the security incident affected 35.8 million people, representing nearly all of the internet provider’s customer base.

The Citrix Bleed Vulnerability

The breach was caused by a security vulnerability in software developed by the cloud computing company Citrix. The vulnerability, known as Citrix Bleed, allowed unauthorized users to gain access to internal systems.

Although Citrix released patches for the vulnerability in early October 2023, unauthorized actors gained access to Xfinity’s internal systems between October 16, 2023, and October 19, 2023.

The vulnerability was not isolated to Xfinity. Citrix provides software to thousands of global companies, and the same flaw was linked to attacks targeting a Boeing subsidiary and the New York arm of the Industrial and Commercial Bank of China.

Timeline of Detection and Disclosure

Xfinity discovered the suspicious activity on October 25, 2023, during a routine cybersecurity exercise. Following this discovery, the company notified federal law enforcement and launched an investigation to determine the nature and scope of the intrusion.

On November 16, 2023, Xfinity determined that customer information had likely been acquired by the attackers. The company concluded its assessment of the compromised data on December 6, 2023.

Comcast notified affected customers through its website, email communications, and news media.

Scope of Compromised Data

The breach resulted in the theft of usernames and hashed passwords for a vast number of accounts. For a subset of the affected customers, the stolen data was more extensive and included:

• Full names and contact information
• Dates of birth
• The last four digits of Social Security numbers
• Answers to security questions

While the company stated there was no evidence that the leaked data had been used maliciously or that ransom demands had been made, the incident highlighted concerns regarding the timely implementation of security patches for known vulnerabilities.

Remediation and Security Requirements

In response to the breach, Comcast required all Xfinity customers to reset their usernames and passwords, regardless of whether their specific accounts were confirmed to be breached.

The company also strongly encouraged subscribers to enable two-factor or multi-factor authentication to provide an additional layer of security for their accounts.

The incident occurred as new federal rules from the Securities Exchange Commission took effect, which require public companies to disclose material cybersecurity breaches within four days of determining the breach is material to their financial results.