Cyber Incident Victim: Comcast
Date:
Oct 2023
Location:
United States of America
Summary
Comcast's Xfinity experienced unauthorized access to internal systems, likely resulting in the acquisition of customer information including usernames, hashed passwords, contact details, and partial social security numbers. The breach stemmed from a vulnerability in Citrix software, which has since been mitigated, and was initially detected during routine cybersecurity monitoring. Federal law enforcement was notified, an investigation was initiated, and data analysis remains ongoing to assess the full scope of the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Comcast's Xfinity experienced unauthorized access to its internal systems between October 16 and October 19, 2023, as disclosed in a December 18 public statement. The breach was first detected on October 25 during a routine cybersecurity exercise, triggering an immediate investigation. Xfinity confirmed the intrusion resulted in the likely acquisition of customer information, including usernames and hashed passwords. Additional compromised data fields encompassed contact information and the last four digits of customers' social security numbers. The company attributed the incident to a vulnerability in Citrix software utilized within its infrastructure, though it clarified this specific software-related risk had been resolved by the disclosure date. Federal law enforcement agencies were notified following the discovery, though no details about specific agencies or collaborative actions were provided. Xfinity did not disclose the exact number of affected customers or specific geographic concentrations of impacted accounts in its initial announcement. The breach timeline indicates intruders maintained access for four days before detection occurred nine days after the unauthorized activity concluded.
Data analysis to fully assess the breach's scope remained ongoing as of December 18, nearly two months after initial detection. Xfinity confirmed no operational disruptions to customer services resulted from the incident despite the systems intrusion. The company's disclosure emphasized the compromised passwords were hashed, a security measure that obscures plaintext credentials, though it didn't specify the hashing algorithm employed. No evidence suggested customer financial data, full social security numbers, or government-issued identification documents were accessed during the breach. The incident response involved internal cybersecurity teams, external forensic investigators, and coordination with federal authorities, though no remediation steps beyond vulnerability resolution were detailed. Xfinity's public notification occurred seven weeks after breach detection and nearly two months after the initial intrusion window, without explanation for the disclosure timeline. The Citrix vulnerability's exploitation marked a confirmed attack vector, though the company didn't specify whether this was part of a broader campaign or isolated incident. Customer data exposure was limited to specific information categories, with no mention of exfiltrated communications, browsing history, or service usage patterns in the available report.