PHILADELPHIA—Comcast has been notifying its Xfinity customers that there was an unauthorized access to its internal systems in October that may have compromised data from 35.8 million user IDs.
The data breach may have given hackers access to such data as passwords, the last four digits of social security numbers, contact details and other information.
Comcast has about 32 million customers but noted that customers may have multiple user IDs. It is requiring users to change their passwords and is strongly recommending they implement two-factor authentication.
The problem was created by a previously announced security problem with Citrix software. Citrix announced the problem in October and the data breach occurred between October 16 and 19, prior to Citrix issuing additional mitigation solutions on October 23, 2023.
Comcast issued a statement saying, “We are providing notice to customers about a data security incident which exploited a vulnerability previously announced by Citrix, a software provider used by Xfinity and thousands of other companies worldwide. We promptly patched and mitigated the vulnerability. We are not aware of any customer data being leaked anywhere, nor of any attacks on our customers. In addition, we required our customers to reset their passwords and we strongly recommend that they enable two-factor or multi-factor authentication, as many Xfinity customers already do. We take the responsibility to protect our customers very seriously and have our cybersecurity team monitoring 24x7.”
In a letter to customers the company said: “At the time Citrix made this announcement, it released a patch to fix the vulnerability. Citrix issued additional mitigation guidance on October 23, 2023. We promptly patched and mitigated our systems. However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability. We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired.”