Xfinity Discloses Data Breach Impacting Nearly 36 Million

Written by

Comcast Cable’s Xfinity brand has revealed a major data breach impacting 35.9 million customers, that resulted from exploitation of a Citrix vulnerability.

The telecoms company said that despite “promptly” patching the software flaw first announced by Citrix on October 10, it wasn’t quick enough to stop threat actors exploiting it.

“Citrix issued additional mitigation guidance on October 23, 2023. Xfinity promptly patched and mitigated the Citrix vulnerability within its systems,” the breach notice explained.

“However, during a routine cybersecurity exercise on October 25, Xfinity discovered suspicious activity and subsequently determined that between October 16 and October 19, 2023, there was unauthorized access to its internal systems that was concluded to be a result of this vulnerability.”

Reports suggested that the vulnerability (CVE-2023-4966) had been exploited in the wild as far back as August 2023. Found in Citrix NetScaler ADC and NetScaler Gateway appliances, exploitation allows threat actors to bypass multi-factor authentication (MFA) and hijack user sessions.

Read more on Citrix Bleed: LockBit Affiliates are Exploiting Citrix Bleed, Government Agencies Warn

Xfinity said that it determined on November 16 that its attackers had accessed customer data. This includes usernames and hashed passwords for all, and for “some customers,” potentially other information such as names, contact information, the last four digits of social security numbers, dates of birth and/or secret questions and answers.

The firm has issued a password reset across all affected accounts and recommended customers enable multi-factor authentication (MFA).

“While Xfinity advises customers not to re-use passwords across multiple accounts, the company is recommending that customers change passwords for other accounts for which they use the same username and password or security question,” it added.

Although the firm did not explicitly reveal the number of customers impacted, a notice published by the Office of the Maine Attorney General did have the figure.

Image credit: Ken Wolter /

What’s hot on Infosecurity Magazine?