Xfinity confirmed more than 35 million of its customers were affected by a data breach linked to the Citrix Bleed vulnerability. The company, which is part of Comcast Corporation, notified customers Monday that usernames and hashed passwords were stolen in a mid-October cyberattack.
Citrix announced the discovery of a critical vulnerability tracked as CVE-2023-4966 on Oct. 10, and released a patch the same day. The bug, nicknamed Citrix Bleed, is a buffer overflow flaw that can cause disclosure of sensitive information in NetScaler ADC and NetScaler Gateway.
Xfinity discovered unauthorized access was made to its systems between Oct. 16 and Oct. 19, according to its notice to customers. The company concluded the intrusion was the result of the Citrix Bleed vulnerability and determined on Nov. 16 that information was likely stolen in the breach.
Names, contact information, dates of birth, answers to security questions and the last four digits of Social Security numbers were taken from some customers, in addition to usernames and hashed passwords, Xfinity says.
The stolen information was identified on Dec. 6 and consumer notification commenced on Dec. 18, when Xfinity also reported to the Office of the Maine Attorney General that a total of 35,879,455 people were affected by the incident.
Xfinity began forced password resets around Dec. 11, causing considerable confusion and frustration among customers who were unaware of a breach, as demonstrated by a flurry of posts on X (formerly known as Twitter).
“We know that you trust Xfinity to protect your information, and we can’t emphasize enough how seriously we are taking this matter,” the company stated in its notice to customers. “We remain committed to continue investing in technology, protocols and experts dedicated to helping to protect your data and keeping you, our customer, safe.”
Xfinity breach occurred after Citrix patch, before additional guidance
Comcast said in a statement provided to SC Media that it “promptly patched and mitigated the vulnerability,” despite the unauthorized access occurring after the initial Citrix Bleed patch.
However, Xfinity’s breach disclosure also notes that additional guidance was provided by Citrix on Oct. 23, after Mandiant discovered the vulnerability had been actively exploited since late August.
Indeed, Citrix updated its security bulletin on Oct. 23 with a link to a NetScaler blog post, which makes an additional recommendation to kill all active and persistent sessions.
“Successful exploitation could result in the ability to hijack existing authenticated sessions, therefore bypassing multifactor authentication or other strong authentication requirements. These sessions may persist after the update to mitigate CVE-2023-4966 has been deployed,” Mandiant noted in its own Oct. 17 blog post.