Comcast warned millions of Xfinity customers their passwords and portions of their social security numbers may have been compromised as part of a recent security breach. It said the breach stemmed from a known vulnerability that has impacted several other major companies in recent weeks.
Boeing and Toyota were also impacted by the vulnerability, known as "CitrixBleed."
According to a data breach notification posted on the Maine Attorney General’s website, 35.8 million customer IDs were affected by the breach, not to be confused with individual customers. For context, Comcast has 31.7 million domestic residential customer relationships, per its third-quarter earnings report.
Comcast has required customers to reset their passwords to protect affected accounts. The company “strongly recommends” that customers enable two-factor or multi-factor authentication and change passwords for other accounts where they use the same username and password or security question.
The data breach was discovered during a “routine cybersecurity exercise” after a vulnerability was reported in the software Xfinity uses through Citrix' NetScaler ADC and NetScaler Gateway appliances. Comcast found unauthorized access to its systems between October 16 and 19, per a notice from the company.
A Comcast spokesperson told Fierce Telecom that since then, the company is "not aware of any customer data being leaked anywhere, nor of any attacks on our customers."
Citrix issued mitigation guidance on October 23, and Xfinity “promptly patched and mitigated the Citrix vulnerability within its systems,” said the company's notice. Comcast has notified federal law enforcement and started an investigation.
According to a Mandiant analysis, the CitrixBleed vulnerability allows attackers to hijack legitimate user sessions on NetScaler ADC and Gateway appliances to conduct network reconnaissance and steal credentials. As of its last update, the cybersecurity company said it was tracking CitrixBleed intrustions “across multiple verticals, including legal and professional services, technology and government organizations.”
“Given the widespread adoption of Citrix in enterprises globally, we suspect the number of impacted organizations is far greater and in several sectors. The victims have been in the Americas, EMEA and APJ,” Mandiant added.
After additional review of the affected systems and data, Comcast concluded this month that information acquired during the incident also might have included customer names, contact information, dates of birth and secret questions and answers.
“However, the data analysis is continuing,” said the company's notice.