Comcast is notifying Xfinity customers of a data breach that exposed hashed passwords and usernames. Hackers may have also acquired birthdays and the last four digits of social security numbers. This breach could affect 35,879,455 customers, according to Comcast’s filing with the Maine attorney general.

This data breach is still under investigation, and some of the details are unclear. But here’s what we know: hackers targeted an Xfinity Citrix server between the dates of October 16th and October 19th. Comcast says that the hackers exploited a vulnerability known as “CitrixBleed” (CVE-2023-4966). A patch for this exploit was published on October 10th, but it wasn’t implemented by Xfinity until October 23rd.

Cybersecurity personnel at Xfinity detected the breach on October 25th during a “routine cybersecurity exercise.” Federal law enforcement were notified on an unknown date, and on December 6th, Comcast determined that customer usernames and hashed passwords were acquired by hackers.

Why this breach was discovered during an “exercise,” rather than a routine security check, is unknown. The CitrixBleed vulnerability was well publicized and received a “critical” severity rating, so it should have been on Comcast’s radar.

Anyway, customers visiting the Xfinity website or app were forced to reset their passwords in late November, before the December 6th revelation. Many of these customers had to reset their password through Xfinity’s customer service line, which experienced wait times of an hour or more. Rumors of a data breach began circulating on social media around this time.

But the data breach may go beyond usernames and hashed passwords. Comcast suggests that “names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers” may have been exposed. If Comcast’s suspicion is correct (it probably is), some customers may fall victim to identity theft.

Current and former Xfinity customers should log into the Xfinity website and change their password. Any websites or apps that reuse your old Xfinity password are also vulnerable—update your password on all relevant websites, and stop reusing passwords. You can also freeze or lock your credit to prevent fraudsters from applying for a card or loan under your name.

Source: Xfinity, Office of the Maine Attorney General via Reuters