Xfinity alerts its clients of a software vulnerability-related data leak
Hackers accessed Xfinity customers’ personal information by exploiting a vulnerability in software used by the company.
This Monday, Comcast-owned telecoms provider Xfinity disclosed that hackers had gained access to the personal information of its customers by taking advantage of a flaw in the software. Customers were notified by Xfinity on Monday that between October 16 and 19, unauthorized access was gained to internal systems due to a vulnerability that was previously disclosed by software supplier Citrix.
After identifying the "suspicious activity" on October 25, Xfinity concluded that the information was "likely acquired" in the months that followed. The business came to the conclusion on December 6 that the data contained hashed passwords and usernames, as well as the last four digits of some customers' Social Security numbers, account security questions, birthdates, and contact details.
While the investigation into the breach is still ongoing, Xfinity stated in a statement provided to The Associated Press on Tuesday that it is "not aware of any customer data being leaked anywhere, nor of any attacks on our customers" as of yet.
In the wake of a significant data breach, Xfinity, the service provided by Comcast, is urging its customers to take immediate action by resetting their passwords. This cybersecurity incident, affecting nearly 35.9 million individuals, was disclosed in a filing with the attorney general's office in Maine, representing impacted user IDs. While Comcast has not officially confirmed the exact number, the company, with over 32 million broadband customers, is undoubtedly addressing a substantial breach. The breach is linked to the infamous "Citrix Bleed" vulnerability, known for its association with cyberattacks targeting diverse entities, including the Industrial and Commercial Bank of China's New York branch and a subsidiary of Boeing.
Notably, the recent data breach at Comcast raises eyebrows as the Securities Exchange Commission now mandates public companies to promptly disclose such cybersecurity events that can potentially influence their financial status. However, as of Tuesday, there were no SEC filings from Comcast regarding this particular breach.
