Comcast Cable Communications, doing business as Xfinity, disclosed on Monday that attackers who breached one of its Citrix servers in October also stole customer-sensitive information from its systems.
On October 25, roughly two weeks after Citrix released security updates to address a critical vulnerability now known as Citrix Bleed and tracked as CVE-2023-4966, the telecommunications company found evidence of malicious activity on its network between October 16 and October 19.
Cybersecurity company Mandiant says the Citrix flaw had been actively exploited as a zero-day since at least late August 2023.
Following an investigation into the impact of the security breach, Xfinity discovered on November 16 that the attackers also exfiltrated data belonging to 35,879,455 people from its systems.
“After additional review of the affected systems and data, Xfinity concluded on December 6, 2023, that the customer information in scope included usernames and hashed passwords,” the company said.
“[F]or some customers, other information may also have been included, such as names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers. However, the data analysis is continuing.”
Users’ passwords reset without any info
While Xfinity says it has asked users to reset their passwords to protect affected accounts, customers report that they had been getting password reset requests last week without any indication as to why that was happening.
“To protect your account, we have proactively asked you to reset your password. The next time you login to your Xfinity account, you will be prompted to change your password, if you haven’t been asked to do so already,” the company says in a data breach notice published on its website.
One year ago, Xfinity customers also had their accounts hacked in widespread credential stuffing attacks bypassing two-factor authentication.
Compromised accounts were then used to reset account passwords for other services, including the Coinbase and Gemini crypto exchanges.
Update December 18, 19:08 EST: A Comcast spokesperson shared the following statement with BleepingComputer after the article was published but didn’t share more details on the number of individuals affected by the data breach. The company added that its operations were not impacted and that it received no ransom demand after the incident.
We are providing notice to customers about a data security incident which exploited a vulnerability previously announced by Citrix, a software provider used by Xfinity and thousands of other companies worldwide. We promptly patched and mitigated the vulnerability. We are not aware of any customer data being leaked anywhere, nor of any attacks on our customers.
In addition, we required our customers to reset their passwords and we strongly recommend that they enable two-factor or multi-factor authentication, as many Xfinity customers already do. We take the responsibility to protect our customers very seriously and have our cybersecurity team monitoring 24×7.
Update December 19, 05:40 EST: Added info on the number of people affected by the data breach.