- Comcast’s Xfinity broadband entertainment platform disclosed a massive data breach involving 35.9 million customers on Monday, an incident connected to the ongoing CitrixBleed vulnerability.
- Xfinity promptly patched the vulnerability in Citrix software it uses in mid-October and took additional mitigation steps, the company said in an announcement. However, during a routine cybersecurity exercise on Oct. 25, Xfinity found an anomaly in its systems and identified a breach between Oct. 16-19 by an unauthorized party.
- After launching an investigation and contacting law enforcement, on Nov. 16 the company determined that customer data was likely stolen. On Dec. 6, Xfinity determined the compromised data included user names and hashed passwords. In some cases, names, contact information, the last four digits of Social Security numbers, dates of birth and secret questions and answers were accessed.
The breach is one of the largest incidents linked to the CitrixBleed buffer overflow vulnerability so far, which has led to major breaches worldwide involving companies that use Citrix Netscaler Application Delivery Controller or Netscaler Gateway.
LockBit 3.0 and AlphV/BlackCat are among several major groups linked to CitrixBleed exploitation activity. Boeing has shared data with the FBI and Cybersecurity and Infrastructure Security Agency, which led an international effort to stem a wave of attacks.
Xfinity is not aware of any data being used for fraudulent activity and the company — a unit of Comcast — is urging customers to reset their passwords and enable two-factor or multifactor authentication, according to a spokesperson.
There is not a recent filing listed on the Comcast investor relations website, nor is it clear whether the company has disclosed anything yet to the Securities and Exchange Commission.
The attack will likely raise additional questions about the effectiveness of the Citrix patch and mitigation steps.
Just a week after the patch was released, Mandiant sent out urgent warnings regarding threat activity that involved patched customers being compromised. Mandiant warned that users would need to delete active sessions, because if those prior sessions persisted, threat groups were still able to gain access to systems.
Such a breach would entangle just about all of Xfinity’s customer base, however it is unclear whether other Comcast customers were impacted.
Mandiant declined to comment on the incident. A spokesperson for Citrix was not immediately available for comment.