Xfinity Data Breach 2023- Take action now

The Comcast Cable Communications, doing business as Xfinity, data breach announced this week impacts over 36 million, that may include both current and former customers. As a society, we may becoming numb to responding due to the sheer number of incidents, but in this case, if you’ve ever used Comcast, take action now.

What Happened? On October 10, 2023, one of Xfinity’s software providers, Citrix, announced a vulnerability in one of its products used by Xfinity and thousands of other companies worldwide. At the time Citrix made this announcement, it released a patch to fix the vulnerability. Citrix issued additional mitigation guidance on October 23, 2023. We promptly patched and mitigated our systems.

However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability. We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired.”

What Information Was Involved? On December 6, 2023, we concluded that the information included usernames and hashed passwords. For some customers, other information was also included, such as names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers. However, our data analysis is continuing, and we will provide additional notices as appropriate.”

I’m a customer, why am I just hearing about this now?

Xfinity put out a press release on Monday December 18, 2023, which was picked up by the all the major news networks. Email notifications were not sent to all Xfinity customers, but if a customer attempts to login to their account, a password change is automatically prompted for.

Xfinity falls short on privacy and account modifications.

It’s clear that the web site has a new look and feel, maybe in part due to responding to the data breach. After changing password, with required authentication steps, users cannot update their privacy setting without providing a mobile number.

What action should you take?

  1. Change password login. Only use strong passwords with at least 16 characters, and don’t use the password for any other web site. If you’re not using a password management system, get one now.
  2. Change secret questions and answers. Don’t use questions where answers are easily obtained through social media or past web site uses. Due to prior internet data breaches, criminals have vast amounts of information on everyone; software makes it easy to compile data from multiple sources and create automated attacks.
  3. If Xfinity secret questions and answers are used anywhere else, including the credit reporting agencies like Experian, change them. If in doubt, update all financial institution and phone service secret questions immediately, due to potential harmful impact if those were compromised.
  4. The data breach was in October and consumers are finding out about it in December. If you don’t normally review your financial transactions, look closely. Also, check your credit report activity. https://www.annualcreditreport.com/index.action
  5. Review privacy settings may not be what they were prior to recent web updates.

Comcast has a history of using social security numbers to open accounts that goes back decades. In response to data breaches, US government regulations have been modified and expanded over the years to reduce risk of consumer data being exposed by limiting when social security numbers may be required to mostly financial and government institutions. Cable, phone and healthcare companies still routinely require them in order to receive services. Consumers can refuse to provide one, but might be denied the service.

Xfinity no longer requires social security numbers, but they can be used as a secondary form of identification. Even “an expired photo driver’s license which is not more than five years old from the expiration date” qualifies as acceptable. At what point should an ID be removed from systems to protect consumer data? After a customer has satisfactorily paid their bill for a year? Or 5, which is the basic lifespan of secure computers? If the hashed 4 digit social security number, or any other ID, truly has no value, then why not delete it after a designated period of time?

Resources: