20.5k unique visitors in the last 3 days

36 Million Affected by Comcast Xfinity Data Breach

The breach was blamed on a Citrix vulnerability but questions should be asked about why mitigations were not implemented sooner.

Customers of US comms provider Xfinity have been warned about the compromise of their personal data. A notice on the company’s website warns that names, contact information, birthdays and parts of the social security numbers of customers have been breached. The total number of people impacted is 35,879,455 per a data breach notification filed in Maine.

Xfinity received advice on October 10 from Citrix, one of its suppliers, of a vulnerability in Citrix systems. A patch to fix the vulnerability was released at the same time. However, somebody exploited the vulnerability between October 16 and 19, before Xfinity was able to complete their mitigation efforts. A month later the comms provider concluded data had been extracted by the people who exploited the vulnerability. Further conclusions were reached in early December.

On December 6, 2023, we concluded that the information included usernames and hashed passwords. For some customers, other information was also included, such as names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers. However, our data analysis is continuing, and we will provide additional notices as appropriate.

Xfinity is the brand that Comcast adopted in 2010 in order to escape the negative reputation associated with their original corporate name. However, their reputation will not be enhanced by this incident, which means all customers have been forced to change their passwords. Questions also need to be asked about the speed with which their team responded to the risk. It took them more than a week to mitigate a known vulnerability, creating the window of opportunity for the people who compromised the customer data. It takes time to investigate a breach and to ascertain what occurred with confidence, but it is also difficult to understand why Xfinity needed so long to determine 36 million customers were put at risk, and hence to warn them of the need to take precautions.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email