Xfinity breach may have affected as many as 35.8 million customers

Attackers likely obtained usernames, hashed passwords and potentially other sensitive information.

Reuters / Reuters

Xfinity says a data breach likely led to attackers obtaining customers' usernames and hashed passwords. Other personal information may have been exposed, such as names, contact information, the last four digits of social security numbers, dates of birth and secret questions and answers. The company added that its analysis of the attack is ongoing and it has informed law enforcement about the incident.

In a filing with Maine's attorney general's office, Xfinity owner Comcast disclosed that the intrusion has impacted 35.8 million people. As TechCrunch points out, Comcast had 32.3 million broadband customers as of the end of September, indicating that the vast majority of Xfinity customers have been affected by the breach.

On October 10, Citrix disclosed a vulnerability in software that Xfinity and many other businesses use. It provided guidance on how to mitigate the vulnerability on October 23 and Xfinity said it swiftly patched the problem. However, while carrying out a routine cybersecurity check two days later, Xfinity spotted suspicious activity in its systems. It later determined that bad actors accessed its internal network between October 16 and 19.

Xfinity says it's informing customers of the incident via its website, email and by other means. It's urging them to change their passwords, to make sure they don't use the same passwords on different accounts and to enable two-factor or multi-factor authentication. Xfinity also suggested that folks who use the same login credentials on other accounts change their passwords on those.

This isn't the first security incident Xfinity has had to deal with. Back in 2018, it emerged there was a bug in a Comcast website used to activate Xfinity routers. The issue led to some customers' home addresses being exposed, along with the name and password for their Wi-Fi networks.

Update 12/19 8:00AM ET: Updated to note the number of people who were impacted by the breach.