Updated April 13, 2025
Comcast disclosed a data breach in October 2023, affecting almost 36 million customers. This attack happened due to a missing patch in critical infrastructure that attackers exploited. The hackers were able to exfiltrate massive amounts of data stored by Comcast. Personal data included usernames and password hashes, names, contact information, and personally identifying customer information.
Attack Path Leading To Data Theft
Xfinity, a subsidiary of Comcast, found evidence of a breach in mid-October, prompting an investigation in collaboration with the authorities. The investigation results indicated that initial access was likely gained through an exploit in a Citrix NetScaler portal, commonly called Citrix Bleed. This vulnerability is caused by a buffer overflow that allows attackers to exfiltrate sensitive data. This sensitive data can include session data, potentially allowing attackers to hijack a user’s session and gain further access.
The breach was identified on Oct. 25, 2023. Still, it is believed that initial access occurred between Oct. 16 and Oct. 19. During this time, attackers could move through the network without detection and begin identifying user data. On Nov. 16, it was determined that attackers had been able to access sensitive customer data. Comcast advises all affected users to reset their passwords and do the same for any services that share a password with their Xfinity account.
Lessons From The Attack
Citrix Bleed (CVE-2023-4966) is an extremely dangerous vulnerability in Citrix systems. It affects Citrix NetScaler ADC and Gateway. A buffer overflow vulnerability allows attackers to leak extremely sensitive data and potentially perform session hijacking attacks. If an attacker can hijack the session of a high-privilege user, like an administrator, they will be able to do whatever they want to the internal environment. Even compromising a low-privilege user can lead to the exploitation of internal vulnerabilities and the elevation of privilege.
The patch for Citrix bleed was released on Oct. 10, around one week before the suspected initial access to Comcast’s systems. This may not seem like a long time, but attackers only need small windows to exploit such dangerous vulnerabilities. It can be difficult to manage many different software components and keep them all up to date, but the process must be a top focus when such severe exploits are identified.
Many tools are available that constantly monitor the internet, searching for certain components. The most common example of this is shodan.io. A search on Shodan for “Citrix” reveals over 40,000 results. Attackers using Shodan or similar tools can monitor the internet for vulnerable servers and attack them in narrow windows of time. This often boils down to becoming a race between the hackers and defenders to see how fast defenders can defend against the latest exploits.
It can be tough to stop attackers once they have initial access. Internal environments often have far fewer security measures than external ones and can be filled with vulnerabilities. These vulnerabilities can be used to move effortlessly through the network and start looking for sensitive information. Sensitive locations, such as critical databases, must be hardened against attack and carefully monitored for anomalous activity.
Aside from automated monitoring of a network, manual review can also help turn out blind spots. Comcast states that they identified the breach during a routine review. If regular manual reviews were not performed, the breach may not have been revealed for far longer. Defenders should carefully monitor their environments and work to create detections based on likely attack paths. These paths can be identified by collaboration with red teams.
Security is not a one-step process, and a similar attack could have occurred if any of these problems had been remediated. It is important to apply defenses in different areas with different layers to stop attackers. Regular reviews of external and internal infrastructure through penetration testing and red teams help harden networks against attack. Just as important is ensuring defensive teams understand what attackers are using and implementing preemptive fixes to stop them before attacks happen.
Meet Your Security Needs With Blue Goat Cyber
We can help you prevent cybercrime. Our team can perform various tests and exercises to gauge your organization’s security properly and work with you to fix weak points. Blue Goat’s testers have years of experience and are trained with the latest techniques and tools to give you a clear understanding of your security posture.
Contact us to learn more.
Comcast Data Breach FAQs
Between October 16 and 19, 2023, hackers exploited a vulnerability in Citrix software, known as "Citrix Bleed," to access Comcast Xfinity's internal systems. This breach exposed the personal information of nearly 36 million customers.
The breach exposed usernames, hashed passwords, and, for some customers, names, contact information, birthdates, partial Social Security numbers, and answers to security questions.
Comcast patched the Citrix vulnerability on October 23, 2023. They discovered the unauthorized access on October 25 and notified federal law enforcement. Customers were informed starting in December 2023 and were required to reset their passwords.
If you received a notification from Comcast or Xfinity, your data was likely impacted. For more information, you can contact IDX, Xfinity’s incident response provider, at 888-799-2560.
- Reset your Xfinity password.
- Enable two-factor authentication on your account.
- Change passwords for other accounts that used the same credentials.
- Monitor your credit reports for any suspicious activity.
Comcast has partnered with IDX to manage customer notifications and provide support. Affected customers can reach out to IDX for assistance and guidance on protecting their information.
Yes, multiple class action lawsuits have been filed against Comcast, alleging failure to implement adequate cybersecurity measures to protect customer data.
"Citrix Bleed" refers to a critical vulnerability in Citrix software that allows attackers to bypass authentication and access sensitive information. This vulnerability was exploited in the Comcast Xfinity data breach.
Comcast filed a notice with the Maine Attorney General's office, disclosing that approximately 35.8 million individuals were affected.
For detailed information and updates, visit Comcast's official notice: Notice To Customers of Data Security Incident.
