36 million people affected by data breach at Xfinity

Cable TV and internet service provider Xfinity says a breach linked to a widespread vulnerability in Citrix technology exposed data of about 36 million people in mid-October.

The intrusion happened between October 16-19, after Citrix had announced the bug but before Xfinity patched its systems, the Philadelphia-based company said in a notification filed Monday with Maine regulators.

The vulnerability, known as “Citrix Bleed” and tracked by researchers as CVE-2023-4966, affects NetScaler ADC and NetScaler Gateway appliances used by companies to manage network traffic.

Since Citrix announced the bug on October 10, it has prompted warnings from cybersecurity experts and the federal government about exploitation by malicious hackers. Cybercrime groups are suspected to have used it in attacks against the healthcare, aviation, banking and manufacturing sectors, among others.

Xfinity — a division of Comcast Corp., which also runs entertainment company NBCUniversal — said it patched its systems on October 23 after Citrix issued additional guidance.

The regulatory filing does not specify exactly when Xfinity discovered the breach. On November 16, after the company had notified law enforcement and conducted an investigation, Xfinity “determined that information was likely acquired,” the regulatory filing said.

The information included “usernames and hashed passwords; for some customers, other information was also included, such as names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers.”

Xfinity said it is still analyzing the breach and is telling customers that it will “provide additional notices as appropriate.”

The company is asking customers to reset their passwords and is urging them to add two-factor authentication to their accounts.