Customers of US comms provider Xfinity have been warned about the compromise of their personal data. A notice on the company’s website warns that names, contact information, birthdays and parts of the social security numbers of customers have been breached. The total number of people impacted is 35,879,455 per a data breach notification filed in Maine.
Xfinity received advice on October 10 from Citrix, one of its suppliers, of a vulnerability in Citrix systems. A patch to fix the vulnerability was released at the same time. However, somebody exploited the vulnerability between October 16 and 19, before Xfinity was able to complete their mitigation efforts. A month later the comms provider concluded data had been extracted by the people who exploited the vulnerability. Further conclusions were reached in early December.
On December 6, 2023, we concluded that the information included usernames and hashed passwords. For some customers, other information was also included, such as names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers. However, our data analysis is continuing, and we will provide additional notices as appropriate.
Xfinity is the brand that Comcast adopted in 2010 in order to escape the negative reputation associated with their original corporate name. However, their reputation will not be enhanced by this incident, which means all customers have been forced to change their passwords. Questions also need to be asked about the speed with which their team responded to the risk. It took them more than a week to mitigate a known vulnerability, creating the window of opportunity for the people who compromised the customer data. It takes time to investigate a breach and to ascertain what occurred with confidence, but it is also difficult to understand why Xfinity needed so long to determine 36 million customers were put at risk, and hence to warn them of the need to take precautions.



