Xfinity hack could compromise user information from 36 million customers, state AG says

Hackers compromised a vulnerability in third-party vendor Citrix.

Hackers compromised a vulnerability in a third-party vendor that serviced Xfinity, which lead to some customer information being stolen, a state attorney general's report said.

Nearly 36 million people could be impacted by the hack, according to a filing from the Maine Attorney General's office.

On Oct. 10, Citrix announced there was a vulnerability in its software, the filing said. Xfinity patched the system initially, but on Oct. 23, Citrix announced it issued "additional mitigation guidance" to further address the vulnerability.

"However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability," Xfinity said, according to the filing. "We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired."

Xfinity concluded on Dec. 6 that usernames and passwords for some customers were stolen along with names, contact information, last four digits of social security numbers, dates of birth and/or secret questions.

The company says it is still taking a complete stock of what was stolen.

Xfinity is recommending users proactively reset their passwords and said, "and we can't emphasize enough how seriously we are taking this matter."

"Customers trust Xfinity to protect their information, and the company takes this responsibility seriously. Xfinity remains committed to continued investment in technology, protocols and experts dedicated to helping to protect its customers," Xfinity said in a press release.

Comcast, Xfinity's parent company, said it is not aware of any customers' data being leaked anywhere. It recommended its customers reset their passwords and enable two-factor authentication.

"We take the responsibility to protect our customers very seriously and have our cybersecurity team monitoring 24x7," Comcast wrote in a statement.

Citrix said it couldn't comment directly on the Comcast data breach.

Editor's note: This story has been updated to statements from Comcast and Citrix. It also clarifies the Citrix mitigation guidance offered in October.