The personal data of millions of Comcast It may have been stolen by one or more criminals.
Internet, voice, and cable TV providers revealed this week that they had been hit by a major data-disclosure bug. Citrix patched the NetScaler Gateway Appliance flaw he disclosed on October 10th, and three days later he told IT administrators to apply the update and update active sessions using a series of commands. and prompted to force terminate all persistent sessions.
By the end of October, a “massive exploit” of Citrix Bleed was underway, with ransomware teams attempting to exploit and monetize the security flaw. Exploitation of this bug could allow attackers to remotely infiltrate corporate networks, steal data, or commit other crimes.
Comcast spokesperson Joel Shadle said that despite “quickly patching and mitigating the Citrix vulnerability in our systems,” during a regular cybersecurity exercise on Oct. 25, “Xfinity We have discovered activity.” register today.
The US cable giant said: “We subsequently determined that there had been unauthorized access to our internal systems between October 16, 2023 and October 19, 2023, and concluded that this was the result of this vulnerability.” Shadle said.
In a privacy breach notice filed Monday with the Maine Attorney General’s Office, Comcast said: 35.9 million people Affected by digital intrusion.
Sandor says the number doesn’t necessarily mean “customer” and that “user ID” is a better term. A single customer may have multiple user IDs for other family members, vacation properties, etc.
Either way, that’s a huge number of people and likely includes all of Xfinity’s customers. To put this into context, in 2022 Comcast provided high-speed broadband internet access to the following companies: 32 million client.
After Xfinity discovered the intrusion, it filed a complaint with federal authorities, and by November 16, it said it had “determined that information may have been obtained.” [PDF].
As of Dec. 6, the internet provider said customer data that may have been stolen included usernames and hashed passwords. Additionally, “for some customers,” the scammers may have also stolen people’s names, contact information, last four digits of their Social Security numbers, dates of birth, and security questions and answers.
For those who don’t know, a hashed password is a one-way encrypted password. Although you can’t directly determine a person’s actual password from a hashed password, a bad actor can try to guess a person’s password from the hash. The success of these scammers depends on the algorithm and method used by Comcast to create the hash and the strength of the initial password.
Meanwhile, the carrier said, “Data analysis continues.”
It’s hard to shake the feeling that while your humble vulture is trying so hard to be a glass-half-glass bird, things are only going to get worse.
Xfinity is currently requiring subscribers to reset their passwords and “strongly recommends” enabling two-factor or multi-factor authentication. As always, don’t reuse passwords across multiple accounts.
If you use the same password and security question/answer combination for other services in addition to Xfinity, you can avoid potential pain in the future and use the same password and security question combination for other accounts. Please also change the combination of answers. ®