Xfinity Tells Millions Of Customers To Change Passwords After Alarming Data Breach

It must be a Thursday, because there's been another major data breach that affects millions of consumers and may force you to change passwords. The target of the latest attack was Comcast, which has confirmed that online criminals ran roughshod over its Xfinity servers for days before detection. The hack has reportedly exposed the data of 35.9 million customers. Despite millions of its customers having their data stolen, Comcast's response to the hack has been sluggish to say the least.

As one of the largest ISPs in the country, you might expect Comcast would be on top of every major security flaw in its systems. You'd be wrong, though. This hack happened because Comcast waited too long to patch a critical vulnerability. It's known as Citrix Bleed (CVE-2023-4966) and was disclosed by Citrix on Oct 10. This was a zero-day flaw, meaning it was already in active exploitation in the wild. The flaw allows attackers to bypass password and multi-factor challenges to gain access to active Citrix user sessions. From there, it's a simple matter to elevate permissions and reach into other parts of the system. 

Despite the seriousness of the vulnerability, Comcast did not patch its systems for somewhere between six to nine days after disclosure. The company has confirmed that during that period, unauthorized individuals gained access to Xfinity servers and stole substantial user data; it didn't know exactly what data until Dec 6, though. According to Comcast, the hackers made off with user names, real names, addresses, secret questions/answers, birthdates, partial social security numbers, and hashed passwords. This data could be used to augment phishing campaigns or support identity theft.

This wasn't another ransomware attack, which usually comes with a public demand for payment. Comcast didn't even know about the hack for almost a week after it happened, which would make it hard to pay a ransom. So, whoever gained access to Xfinity data wanted the data more than they wanted an upfront payment. Citrix confirmed at least one hacking group has used Citrix Bleed to deploy ransomware, though.
While it's unlikely the attackers will be able to decode the stolen passwords, Comcast still recommends that affected individuals change their login info. Users will be automatically prompted to change their passwords upon their next login, if that has not already happened. The company is sending out notices to explain the situation and offer links to credit monitoring tools. Comcast is still investigating and promises to provide an update when it has more information. It has not, however, apologized for the breach.