Comcast has confirmed a security breach affecting 36 million U.S. Xfinity accounts, according to media reports.
Comcast said that hackers exploited a vulnerability in third-party software provider, Citrix, which it uses for remote network access, according to a December 19 Wall Street Journal (WSJ) report.
The breach occurred between October 16 and 19, exposing usernames, hashed passwords, names, contact information, birth dates, the last four digits of users’ social security numbers and secret questions and answers, WSJ said.
The company joins a long list of well-known brands hit by cyber attacks this year, including genetic testing company 23andMe, which earlier this month disclosed a data breach affecting 6.9 million users.
On October 10, the week before Comcast’s breach, Citrix published an advisory on its website about two vulnerabilities in its systems. According to an October 27 report from cybersecurity firm Rapid7, the two vulnerabilities allow “an attacker to read large amounts of memory after the end of a buffer,” that in turn would allow a bad actor to “impersonate another authenticated user.”
Citrix released a software update to fix the vulnerability on October 23. It also noted that it received reports of session hijacking and targeted attacks exploiting the vulnerability.
“We are not aware of any customer data being leaked anywhere, nor of any attacks on our customers,” a Comcast spokesperson told the WSJ in the report. He added that the company is requiring customers to reset their passwords and recommends enabling multi-factor authentication.
How to secure your Xfinity account
If you're an Xfinity customer, you’ll want to follow the company’s guidance and immediately change your password. Experts recommend choosing a secure, easy-to-remember password, such as a nonsensical combinations of symbols, numbers and upper-and-lower-case numbers.
Experts also encourage people to strongly consider enabling multi-factor authentication, just as Comcast has recommended for its customers.
To do this for your Xfinity account, download the company's app, which the company says is available for download on Apple and Android phones. Then follow these steps. You will then be able to approve or deny log-in attempts with a yes/no button push, facial recognition, one-touch fingerprint ID, traditional text message or email codes, or a code generator.