Citrix Bleed leveraged to steal data of 35+ million Comcast Xfinity customers

Telecommunications company Comcast has confirmed a breach that exposed personal information of more than 35.8 million of Xfinity customers.

Exploiting Citrix Bleed to breach Xfinity

CVE-2023-4966 (aka Citrix Bleed) – an information disclosure vulnerability in Citrix NetScaler ADC/Gateway devices – was disclosed on October 10, when Citrix issued a patch to fix the vulnerability.

(CVE-2023-4966 has been exploited as a zero-day by attackers since late August 2023, and widely since the release of the patch.)

Xfinity noted that they “promptly patched and mitigated [their] systems” after Citrix released additional mitigation guidelines on October 23.

“However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability,” the company stated in the security incident notice sent to customers.

“We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired.”

Xfinity revealed that the stolen information included usernames and hashed passwords, and that the breach also exposed names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers for some of its customers (though the number was not specified).

What should customers do?

To protect their accounts, customers are advised to change their passwords and to enable two-factor or multi-factor authentication (if they haven’t already).

The company also urged customers to be vigilant for fraud and identity theft incidents by checking accounts statements, credit card reports, and generally be on the lookout for suspicious activity on their accounts.