A security breach at Comcast-owned Xfinity has exposed the personal data of nearly all the internet provider’s customers, including account usernames, passwords and answers to their security questions.
Comcast said in a filing with Maine’s attorney general’s office that the hack affected 35.8 million people, with the media and technology giant notifying customers of the attack through its website and by email, the company said Monday. The intrusion stems from a vulnerability in software from cloud computing company Citrix, according to Comcast.
Although Citrix patched the vulnerability in October, Xfinity learned that unauthorized users gained access to its internal systems between Oct. 16 and Oct. 19, revealing customer data. For some people, that included their names, contact information, account usernames and passwords, birthdates, parts of their Social Security numbers and answers to their security questions.
In addition to Xfinity, Citrix provides software to thousands of companies around the world. The previously-announced vulnerability, dubbed “Citrix Bleed,” has also been linked to hacks targeting theNew York arm and a Boeing subsidiary, among others.
Under new federal rules that took effect Monday, the Securities Exchange Commission requires public companies to disclose all cybersecurity breaches that could affect their financial results within four days of determining a breach is material.
What should I do if I’m an Xfinity customer?
All Xfinity customers — even those whose accounts might not have been breached — must reset their usernames and passwords, according to Comcast. Xfinity is also encouraging subscribers to use two-factor authentication to secure their accounts.
“While Xfinity advises customers not to re-use passwords across multiple accounts, the company is recommending that customers change passwords for other accounts for which they use the same username and password or security question,” Comcast noted.
Comcast has more than 32 million broadband customers, according to its most recent earnings report, suggesting that the breach likely affected all Xfinity customers.
Some Xfinity users continued to express frustration on Wednesday in wake of the cyberattack. Said one poster on social media in contacting its customer service team: “I signed in, changed password. I try to sign out by tapping my profile icon. It states sign in, but the webpage is showing my account information even though it says I’m signed out. You have more issues than just password leaks.”
Customers with questions can contact Xfinity toll-free at (888) 799-2560 24 hours a day Monday through Friday from 9 a.m. to 9 p.m. Eastern time. More information is available on Xfinity’s website at xfinity.com/dataincident.
—The Associated Press contributed to this report.