Comcast Cyberattack Impacts 36 Million Xfinity Customers

Comcast has confirmed a data security incident that has affected almost 36 million Xfinity customers.

Attackers reportedly accessed customer data using a vulnerability found in Citrix software used by several large-scale corporations, which was first disclosed in October and has been dubbed the ‘CitrixBleed’ bug.

Now Xfinity, Comcast’s cable television and internet division, has confirmed it is the latest victim of the CitrixBleed breach.

In a statement, Xfinity said it patched and mitigated the Citrix vulnerability immediately, though, during a routine cybersecurity exercise on Oct. 25, the company discovered “suspicious activity.” 

“Xfinity … subsequently determined that between October 16 and October 19, 2023, there was unauthorized access to its internal systems that was concluded to be a result of this vulnerability,” the statement said.

Following a review of the incident, Xfinity concluded customer information compromised under the hack included usernames and hashed passwords, while some customers may have also had information such as names, contact information, the last four digits of social security numbers, dates of birth and/or secret questions and answers. 

While an exact number of customers impacted was not included, a filing with Maine’s attorney general from Comcast showed just under 36 million users were impacted.

Related:Boeing Hit by Cyberattack; System Data Compromised

Xfinity said its analysis of the incident is continuing.

The CitrixBleed bug has been under “mass-exploitation” by hackers since August, used by bad actors including LockBit to hack into companies including Boeing, the Industrial and Commercial Bank of China, and international law firm Allen & Overy.

The Cybersecurity and Infrastructure Security Agency, along with the FBI and cybersecurity officials in Australia, published an advisory on the issue in November.

“Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication, leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control and Gateway appliances,” the advisory reads. “Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources.”

The organizations said network defenders should “hunt for malicious activity” on their networks, apply publicly available patches, and follow incident response recommendations.