How we got here: Comcast's Xfinity has disclosed a security breach impacting more than 36 million customers. The breach occurred between October 16 and October 19 of this year but for the full story, we need to backtrack a bit.

On October 10, cloud service provider Citrix announced a vulnerability impacting software used by Xfinity and "thousands of other companies" around the globe.

It'd be nearly two more weeks – on October 23 – before Citrix shared additional mitigation guidance. Xfinity said it promptly patched and mitigated the vulnerability in its systems but on October 25 during a routine cybersecurity exercise, they discovered unauthorized access to their system that took place a week earlier using the vulnerability.

In a separate filing with the Maine AG, Comcast said the breach impacted 35,879,455 people.

Xfinity's investigation showed that customer information including usernames, hashed passwords, legal names, contact information, the last four of Social Security numbers, dates of birth and / or security questions and answers were compromised. The company said it is still looking into the matter, so it's possible that additional data was compromised.

Xfinity is requiring customers to reset their account passwords, and strongly recommends enabling two-factor authentication. The ISP also advises against re-using passwords across multiple accounts and services; if you have used your Xfinity password elsewhere, be sure and change those also.

Related reading: The worst passwords of 2023 are also the most common, "123456" comes in first

Notably, the company made no mention of any complimentary credit monitoring service being offered to impacted customers. Such offers are common with high-profile data intrusions although since this one did not involve credit card information, perhaps that is why Xfinity is not offering it.

Comcast is no stranger to security incidents. Back in 2018, it was discovered that a Comcast site used to activate Xfinity routers was sharing personal data including home addresses, Wi-Fi network names, and passwords.

Those with additional questions are encouraged to check Xfinity's data breach incident report or reach out directly to the company.

Image credit: Negative Space