FILE - Signage for Xfinity, the cable division of Comcast, is displayed in Philadelphia, July 15, 2015. Hackers accessed Xfinity customers’ personal information by exploiting a vulnerability in software used by the company, the Comcast-owned telecommunications business announced this week. In a Monday, Dec. 18, 2023, notice to customers, Xfinity said there was unauthorized access to internal systems as a result of this vulnerability — which was previously announced by software provider Citrix — between Oct. 16 and 19. Associated press

Matt Rourke

Comcast Xfinity customers are being prompted to change their account passwords in light of an October data breach.

The Philadelphia-based cable and Internet giant announced the hack Monday in a public notice to customers, saying that some of their personal information may have been acquired.

“We are not aware of any customer data being leaked anywhere, nor of any attacks on our customers,” Comcast spokesperson Joel Shadle said in a statement. “We take the responsibility to protect our customers very seriously and have our cybersecurity team monitoring 24x7.”

It was not immediately clear how many customers may have been impacted; however, in a data breach notification filed to the Maine Attorney General, Comcast reported that nearly 36 million people had been affected.

After an investigation, the company determined earlier this month that information accessed by hackers could include: customers’ usernames, contact information, last four digits of Social Security numbers, dates of birth, questions and answers to account security questions, and hashed passwords, which, as a security measure, are algorithmically converted into a random string of characters to prevent misuse.

The incident was the result of a vulnerability in Citrix, which provides remote-work software to Comcast and thousands of other companies, including Boeing and the Industrial and Commercial Bank of China, the world’s largest bank. Both of those corporations were hit this fall by hackers from a ransomware group exploiting the Citrix vulnerability, known as Citrix Bleed by cybersecurity officials.

Comcast said it “promptly patched and mitigated” its systems after Citrix announced the vulnerability, released a patch, and issued mitigation guidance in mid-October. Shortly after, however, Comcast said it discovered there had been “unauthorized access to some of our internal systems” between October 16 and 19, before it had taken steps to mitigate the issue.

The company notified federal authorities, according to the notice, and began an investigation into “the nature and scope of the incident.”

About a month ago, on Nov. 16, officials determined that hackers had likely acquired some information. On Dec. 6, the company determined what kind of customer information may have been accessed.

“However, our data analysis is continuing, and we will provide additional notices as appropriate,” the company wrote.

Comcast is prompting customers to change their Xfinity passwords, and suggesting they do so on any other accounts that use the same password. Officials there are also encouraging customers to use multi-factor authentication — which involves confirming your identity with a text, email, or phone call before logging in.

It was unclear how exactly customers were being notified of the incident beyond the prompts to change their passwords. Several Xfinity customers said they had not received an email with the public notice, or an email prompting them to change their password. As of Tuesday morning, customers were being directed to change their passwords only when they logged in to their online accounts

“We know that you trust Xfinity to protect your information, and we can’t emphasize enough how seriously we are taking this matter,” the company wrote in its notice. “We remain committed to continue investing in technology, protocols and experts dedicated to helping to protect your data and keeping you, our customer, safe.”