Comcast disclosed that hackers gained access to over 36 million Xfinity customers’ private data by taking advantage of a critical-rated security flaw.
This weakness, dubbed “CitrixBleed,” is present in Citrix networking equipment, which is frequently utilized by large organizations. Since late August, hackers have been widely taking advantage of this vulnerability. Early in October, Citrix released fixes; however, many firms were unable to apply them in time. Hackers have gained access to major targets such as the industrial and commercial bank of China, the aerospace behemoth Boeing, and the global law firm Allen & Overy by exploiting the CitrixBleed vulnerability.
Comcast revealed that between October 16 and October 19, hackers using the CitrixBleed vulnerability gained access to its internal systems; nevertheless, the company did not discover the “malicious activity” until October 25.
By November 16, Xfinity had established that “information was likely acquired” by the hackers. In December, the business came to the conclusion that the data comprised usernames and passwords that had been “hashed,” or stored in a way that renders them unintelligible to humans. Since certain hashing techniques are more easily broken than others, it’s not immediately apparent how the passwords were jumbled or what algorithm was used.
According to the firm, hackers might have also gotten hold of names, contact details, dates of birth, the last four digits of Social Security numbers, and the private questions and answers of an unidentified number of clients.
“Our data analysis is continuing, and we will provide additional notices as appropriate,” says Comcast, implying that other kinds of data might have also been accessed.
The number of affected Xfinity customers is not stated in the warning. Comcast verified that the hack affects about 35.8 million customers in a filing with the attorney general of Maine. The company has over 32 million broadband subscribers, according to Comcast’s most recent financial report, indicating that most, if not all, Xfinity consumers have been affected by this hack.
The event has not yet been reported to the U.S. Securities and Exchange Commission, as required by the regulator’s new data breach reporting guidelines, nor is it clear if Xfinity received a ransom demand or how it affected the company’s operations.
According to Xfinity, all user accounts must have a new password, and the firm advises using two-factor or multi-factor authentication, which is not by default required.
English