Xfinity Rocked with Data Breach Impacting 36 Million Users

Comcast Cable Communications, LLC, operating under the brand name Xfinity, has suffered a massive data breach affecting 36 million users.

Comcast-owned brand Xfinity has initiated the process of notifying its customers about a significant data breach impacting tens of millions of users. The data breach is linked to the critical vulnerability in Citrix software.

It is worth noting that in November 2023, the cybersecurity firm Mandiant, owned by Google, released its findings, issuing a warning to companies about the active exploitation of the Citrix vulnerability. The report indicated that not one, but four uncategorized threat actor groups were involved in the exploitation.

The telecommunication giant, which offers a wide range of services including internet, TV, and phone, stated in the notice sent on Monday that hackers exploited a software vulnerability to access its customers’ personal information.

Xfinity discovered the suspicious activity on October 25, and by December 6 it determined that compromised data may include usernames, hashed passwords, last four digits of Social Security numbers, account security questions, birthdates, and contact information.

According to a breach notification filed with the Maine Attorney General, the breach affected around 35.9 million user accounts, representing a significant portion of its overall user base, which comprises 32 million broadband users.

Cloud computing firm Citrix discovered a vulnerability (CVE-2023-4966) dubbed Citrix Bleed in early October, which affected products used by companies like Xfinity.

It is worth noting that in November 2023, the cybersecurity firm Mandiant, owned by Google, released its findings, issuing a warning to companies about the active exploitation of the Citrix vulnerability.

The report revealed that four uncategorized threat actor groups were involved in exploiting the vulnerability. This vulnerability affects NetScaler ADC and Gateway appliances, allowing them to manipulate user sessions without requiring authentication measures. The same vulnerability was previously linked to hacks targeting the Industrial and Commercial Bank of China’s New York branch and a Boeing subsidiary.

Xfinity patched the vulnerability, but unauthorized access to its internal systems led to data compromise by mid-November. In its official statement, Xfinity’s spokesperson stated that there is no evidence of customers’ data being leaked or targeted attacks.

“We are not aware of any customer data being leaked anywhere, nor of any attacks on our customers.”

Nevertheless, all Xfinity customers are urged to reset their passwords and are advised to use two-factor authentication for added security.

In a comment to Hackread.com, Immersive Labs’ Director of Cyber Threat Research Kev Breen warned companies to timely patch security vulnerabilities as threat actors are quick to exploit them.

“In 2022, the median time to exploitation was one day from exploitation, while the timing of public patches was on average 7 days. This year we’ve consistently seen recently disclosed vulnerabilities and zero days actively exploited in the wild by threat actors at scale.”

Breen also argued the culture of non-existing cybersecurity and vulnerability disclosure-related transparency, despite the US government’s strict and recent policies holding software companies liable for data breaches.

“Despite government intervention to try and strengthen transparency and guidance around cybersecurity practices, many standard implementations still haven’t kept pace. For example, FedRAMP guidelines say organizations have 30 days to remediate high-risk threats — yet attackers just need one day to discover a vulnerability and take advantage to wreak havoc on systems and cause costly damage to organizations.”

This, however, is not the first time Comcast has made headlines for data breaches. In November 2015, the company discovered that 200,000 user login credentials, including email addresses and passwords, were leaked and being sold on the dark web. The company attributed the incident to customers falling victim to malware and phishing attacks.

As for the latest data breach, Comcast, under new Securities and Exchange Commission rules, must disclose cybersecurity breaches affecting their bottom line within four days but has not yet filed such a report, according to The Associated Press.

****RELATED ARTICLES****

1. US aerospace services provider data breach loses 1.5 TB of data
2. Mortgage Giant Mr. Cooper Data Breach; 14 Million Users Impacted
3. Hackers Leak Thousands of Idaho National Lab Employees’ PII Data
4. Sony Data Breach via MOVEit Vulnerability Affects Thousands in US
5. Hackers Access User Info, Corporate Systems in MongoDB Data Breach
6. Delta Dental Hit with 7 Million User Data Breach in MOVEit-Linked Attack