Hackers accessed Xfinity customers' personal information by exploiting a vulnerability in software used by the company, the Comcast-owned telecommunications business announced this week.

In a Monday notice to customers, Xfinity said there was unauthorized access to internal systems as a result of this vulnerability — which was previously announced by software provider Citrix — between Oct. 16 and 19.

Xfinity discovered the “suspicious activity” on Oct. 25, and in the following months determined that information was “likely acquired.” On Dec. 6, the company concluded that information included usernames and hashed passwords — and, for some customers, the last four digits of Social Security numbers, account security questions, birthdates and contact information.

Analysis of the breach is still continuing but to date, Xfinity is “not aware of any customer data being leaked anywhere, nor of any attacks on our customers,” the company said in a statement sent to The Associated Press Tuesday.

Xfinity is also requiring customers to reset their passwords, while strongly recommending two-factor or multifactor authentication.

A filing with Maine's office of the attorney general disclosed that nearly 35.9 million people were affected by this breach. The company declined to confirm a specific number Tuesday, but noted the filing's figure represents user IDs.

Philadelphia-based Comcast has more than 32 million broadband customers, according a recent earnings release.

In addition to Xfinity, Citrix provides software to thousands of companies around the world. The previously-announced vulnerability, dubbed “Citrix Bleed,” has also been linked to hacks targeting the Industrial and Commercial Bank of China's New York arm and a Boeing subsidiary, among others.

Under new rules that went into effect Monday, the Securities Exchange Commission now requires public companies to disclose all cybersecurity breaches that could affect their bottom lines — within four days of determining a breach is material. As of Tuesday, there were no SEC filings from Comcast about the recent data breach and the company did not immediately address it.

Share:
More In Business
Michigan Judge Sentences Walmart Shoplifters to Wash Parking Lot Cars
A Michigan judge is putting sponges in the hands of shoplifters and ordering them to wash cars in a Walmart parking lot when spring weather arrives. Genesee County Judge Jeffrey Clothier hopes the unusual form of community service discourages people from stealing from Walmart. The judge also wants to reward shoppers with free car washes. Clothier says he began ordering “Walmart wash” sentences this week for shoplifting at the store in Grand Blanc Township. He believes 75 to 100 people eventually will be ordered to wash cars this spring. Clothier says he will be washing cars alongside them when the time comes.
State Department Halts Plan to buy $400M of Armored Tesla Vehicles
The State Department had been in talks with Elon Musk’s Tesla company to buy armored electric vehicles, but the plans have been put on hold by the Trump administration after reports emerged about a potential $400 million purchase. A State Department spokesperson said the electric car company owned by Musk was the only one that expressed interest back in May 2024. The deal with Tesla was only in its planning phases but it was forecast to be the largest contract of the year. It shows how some of his wealth has come and was still expected to come from taxpayers.
Load More