Comcast Xfinity data breach affects over 35 million people

A Citrix vulnerability was exploited, leaking names, contact information, partial social security numbers, and birth dates.

Comcast is notifying Xfinity customers of a “data security incident” it says resulted in the theft of customer information, including usernames, passwords, contact information, partial social security numbers, and more. In a notice on Monday, Xfinity said “there was unauthorized access” to its systems from October 16th to October 19th, 2023.

BleepingComputer linked this breach notice published in the state of Maine, which shows the total number of people affected by the breach is 35,879,455, including over 50,000 people in Maine.

Xfinity traces the breach to a security vulnerability disclosed by cloud computing company Citrix, which began alerting customers about a flaw in software Xfinity and other companies use on October 10th. While Xfinity now says it patched the security hole, it later uncovered suspicious activity on its internal systems “that was concluded to be a result of this vulnerability.”

The report from BleepingComputer also notes Citrix released a notification of the vulnerability (now known as “Citrix Bleed”) nearly two weeks earlier, on October 10th, telling customers to patch as soon as possible, although it had not noted active exploitation of the flaw. However, by October 18th, the security researchers at Mandiant reported it was under “active” exploitation, and on October 23rd, a Citrix blog post said it was aware of targeted attacks.

The hack resulted in the theft of customer usernames and hashed passwords, according to Xfinity’s notice. Meanwhile, “some customers” may have had their names, contact information, the last four digits of their social security numbers, dates of birth, and / or secret questions and answers exposed. Xfinity has notified federal law enforcement about the incident and says the “data analysis is continuing.”

Xfinity will automatically ask customers to change their passwords the next time they log in to their accounts, and it’s also encouraging users to turn on two-factor authentication.

“We are not aware of any customer data being leaked anywhere, nor of any attacks on our customers,” Xfinity spokesperson Joel Shadle says in an emailed statement to The Verge. “We take the responsibility to protect our customers very seriously and have our cybersecurity team monitoring 24x7.”

You can find the full notice, including contact information for the company’s incident response team, on Xfinity’s website.

Update December 18th, 6:37PM ET: Added a statement from Xfinity.

Update December 19th, 9:26AM ET: Added the number of people affected by the breach and additional detail on the “Citrix Bleed” vulnerability.

Disclosure: Comcast is an investor in Vox Media, The Verge’s parent company.