The Vermont Office of the Attorney General disclosed that Xfinity suffered a data breach stemming from a **vulnerability in Citrix’s software**, enabling unauthorized access between **October 16–19, 2023**. The exposed data included **usernames, hashed passwords, full names, contact details, the last four digits of Social Security numbers, dates of birth, and secret questions/answers**. While the breach did not involve full Social Security numbers or financial data, the compromised credentials and personal identifiers pose significant risks, including **identity theft, phishing attacks, and account takeovers**. The incident was publicly reported on **December 18, 2023**, highlighting delays in detection and disclosure. The breach’s scope suggests potential long-term reputational damage and regulatory scrutiny, particularly given the sensitivity of the leaked information and the scale of Xfinity’s customer base.
TPRM report: https://www.rankiteo.com/company/comcast
"id": "com020090625",
"linkid": "comcast",
"type": "Vulnerability",
"date": "10/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Telecommunications / Internet Service '
'Provider',
'location': 'United States',
'name': 'Xfinity (Comcast)',
'type': 'Corporation'}],
'attack_vector': 'Exploitation of Citrix Software Vulnerability',
'data_breach': {'data_encryption': 'Partially (hashed passwords)',
'data_exfiltration': 'Likely (unauthorized access confirmed)',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Authentication Credentials']},
'date_publicly_disclosed': '2023-12-18',
'description': 'The Vermont Office of the Attorney General reported that '
'Xfinity experienced a data breach due to a vulnerability in '
"Citrix's software, with unauthorized access occurring between "
'October 16 and October 19, 2023. The breach potentially '
'involved usernames, hashed passwords, names, contact '
'information, last four digits of Social Security numbers, '
'dates of birth, and secret questions and answers.',
'impact': {'data_compromised': ['usernames',
'hashed passwords',
'names',
'contact information',
'last four digits of Social Security numbers',
'dates of birth',
'secret questions and answers'],
'identity_theft_risk': 'High (PII exposed)'},
'initial_access_broker': {'entry_point': 'Citrix Software Vulnerability'},
'investigation_status': 'Disclosed (ongoing details unspecified)',
'post_incident_analysis': {'root_causes': 'Exploitation of unpatched Citrix '
'software vulnerability'},
'references': [{'date_accessed': '2023-12-18',
'source': 'Vermont Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': 'Reported to Vermont '
'Office of the Attorney '
'General'},
'response': {'communication_strategy': 'Public disclosure via Vermont Office '
'of the Attorney General'},
'title': 'Xfinity Data Breach via Citrix Software Vulnerability',
'type': 'Data Breach',
'vulnerability_exploited': 'Citrix Software Vulnerability (unspecified)'}