A significant security breach at Comcast-owned Xfinity has compromised the personal data of nearly all of the internet provider’s customers, revealing account usernames, passwords, and responses to security questions. The intrusion, impacting 35.8 million people, stemmed from a vulnerability in cloud computing software provided by Citrix, according to a filing Comcast submitted to the attorney general’s office in Maine.
Comcast disclosed the breach on Monday, notifying affected customers through its website and email. The unauthorized access occurred between October 16 and October 19, with the vulnerability having been patched by Citrix in October. The exposed customer data includes names, contact information, birthdates, parts of Social Security numbers, and answers to security questions.
Citrix, a global provider of software to numerous companies, faced a previously announced vulnerability named “Citrix Bleed,” linked to cyberattacks on various entities, including the Industrial and Commercial Bank of China’s New York arm and a Boeing subsidiary.
Under new federal regulations effective Monday, public companies must disclose any cybersecurity breaches with potential financial implications within four days of identifying them as material, as mandated by the Securities Exchange Commission.
Xfinity is advising all customers, regardless of whether their accounts were breached, to reset their usernames and passwords. Additionally, the internet provider recommends using two-factor authentication for enhanced account security. Comcast urges customers not to reuse passwords across multiple accounts and suggests changing passwords for other accounts using the same username and password or security question.
Comcast, with over 32 million broadband customers according to recent earnings reports, indicates that the breach likely impacted all Xfinity customers. Frustration among users persists, with some reporting issues even after changing passwords. Concerned customers can reach out to Xfinity toll-free at (888) 799-2560, available 24 hours a day from Monday to Friday between 9 a.m. and 9 p.m. Eastern time. Additional information is accessible on Xfinity’s website at xfinity.com/dataincident.