The data breach disclosed recently by Comcast’s Xfinity impacts nearly 36 million individuals, the company told US authorities.
The incident was disclosed by the telecommunications and smart home solutions provider on December 18, when it admitted that hackers gained access to customer usernames and hashed passwords, as well as names, dates of birth, contact information, secret questions and answers, and the last four digits of social security numbers in some cases.
While the company’s press release and customer notice does not include information on the number of affected individuals, Xfinity told the Maine Attorney General’s Office that the data breach impacts 35,879,455 people.
Comcast recently reported having roughly 32 million customers, which suggests that the data breach could affect all Xfinity customers and possibly employees as well.
SecurityWeek has reached out to Comcast for clarifications and will update this article if the company responds.
The attack on Xfinity involved exploitation of a Citrix Netscaler ADC and Gateway vulnerability named CitrixBleed and tracked as CVE-2023-4966. This critical vulnerability can allow hackers to hijack existing sessions and gain access to the targeted organization’s systems.
Citrix announced the availability of patches on October 10, but the vulnerability had been exploited as a zero-day since at least August. Mass exploitation of CitrixBleed started a few weeks after the fixes were released.
Xfinity said it “promptly” installed the patches, but discovered on October 25 that malicious actors had exploited CitrixBleed to gain access to its systems between October 16 and 19.
The company has required customers to change their passwords following the discovery of the intrusion.
CitrixBleed is believed to have been exploited in attacks against many high-profile organizations, including Toyota.