Comcast Discloses Breach Affecting About 36 Million Accounts

Comcast confirmed a breach exposing the personal information of 36 million U.S. Xfinity account holders.

Red hazard sign and the words "data breach" sit on top of a partial computer keyboard.
(Image credit: Just_Super, Getty Images)

Comcast has confirmed a security breach affecting 36 million U.S. Xfinity accounts, according to media reports.

Comcast said that hackers exploited a vulnerability in third-party software provider, Citrix, which it uses for remote network access, according to a December 19 Wall Street Journal (WSJ) report.

The breach occurred between October 16 and 19, exposing usernames, hashed passwords, names, contact information, birth dates, the last four digits of users’ social security numbers and secret questions and answers, WSJ said.

Subscribe to Kiplinger’s Personal Finance

Be a smarter, better informed investor.

Save up to 74%

Sign up for Kiplinger’s Free E-Newsletters

Profit and prosper with the best of expert advice on investing, taxes, retirement, personal finance and more - straight to your e-mail.

Profit and prosper with the best of expert advice - straight to your e-mail.

Sign up

The company joins a long list of well-known brands hit by cyber attacks this year, including genetic testing company 23andMe, which earlier this month disclosed a data breach affecting 6.9 million users.

On October 10, the week before Comcast’s breach, Citrix published an advisory on its website about two vulnerabilities in its systems. According to an October 27 report from cybersecurity firm Rapid7, the two vulnerabilities allow “an attacker to read large amounts of memory after the end of a buffer,” that in turn would allow a bad actor to “impersonate another authenticated user.” 

Citrix released a software update to fix the vulnerability on October 23. It also noted that it received reports of session hijacking and targeted attacks exploiting the vulnerability.

“We are not aware of any customer data being leaked anywhere, nor of any attacks on our customers,” a Comcast spokesperson told the WSJ in the report. He added that the company is requiring customers to reset their passwords and recommends enabling multi-factor authentication.

How to secure your Xfinity account

If you're an Xfinity customer, you’ll want to follow the company’s guidance and immediately change your password. Experts recommend choosing a secure, easy-to-remember password, such as a nonsensical combinations of symbols, numbers and upper-and-lower-case numbers.

Experts also encourage people to strongly consider enabling multi-factor authentication, just as Comcast has recommended for its customers.

To do this for your Xfinity account, download the company's app, which the company says is available for download on Apple and Android phones. Then follow these steps. You will then be able to approve or deny log-in attempts with a yes/no button push, facial recognition, one-touch fingerprint ID, traditional text message or email codes, or a code generator.

Related Content

Joey Solitro

Joey Solitro is a freelance financial journalist at Kiplinger with more than a decade of experience. A longtime equity analyst, Joey has covered a range of industries for media outlets including The Motley Fool, Seeking Alpha, Market Realist, and TipRanks. Joey holds a bachelor's degree in business administration.