Comcast Says 35.9 Million Xfinity Customer Accounts Were Hacked

The cable giant said personal information of Xfinity customers was accessed thanks to a software flaw between Oct. 16 and Oct. 19

Comcast logo

Comcast said that personal data from nearly 35.9 million customers of its Xfinity unit may have been accessed by hackers.

The largest cable operator in the U.S. began notifying customers on Monday about the breach, which happened between Oct. 16 and Oct. 19, due to a software vulnerability. The information stolen included usernames and hashed passwords;
names, contact information, last four digits of Social Security numbers, dates of birth and the secret questions and answers companies often use to verify users.

The breach was discovered Dec. 6, according to a filing reporting it with the Maine Attorney General’s office, which said about 50,782 Maine residents were affected. Xfinity offers internet, cable, mobile phone and home security services in six states from Maine to California.

A notice sent out to customers said that the company detected some systems had seen unauthorized access before Comcast was notified about the software issue by the provider, Citrix. The company contacted law enforcement and conducted a probe that determined some information was stolen. Comcast said it has since patched the software problem and data analysis related to the issue is continuing.

“We are not aware of any customer data being leaked anywhere, nor of any attacks on our customers,” the company said in a statement to TheWrap.

Comcast asked its customers to reset their passwords on their Xfinity accounts, and any others that used the same passwords, along with encouraging them to enroll in two-factor or multi-factor identification.

“We know that you trust Xfinity to protect your information, and we can’t emphasize enough how seriously we are taking this matter,” the letter to customers said. “We remain committed to continue investing in technology, protocols and experts dedicated to helping to protect your data and keeping you, our customer, safe.”

The company encouraged customers to place security freezes on their credit reports but did not offer to pay for credit monitoring.

“We take the responsibility to protect our customers very seriously and have our cybersecurity team monitoring 24×7,” Comcast said in its statement.

Comcast reported a total 52.3 million customers as of Sept. 30, including 32.3 million broadband customers, 6.3 million wireless customers and 14.5 million cable customers.

The news did not impact Comcast stock. In morning trading, shares added 14 cents, to $44.84. The stock closed Monday up about 25% since the start of the year.

Comments