Skip to main content

Xfinity data breach revealed: Names, contact info, security Q&As, and more at risk

An Xfinity data breach has been revealed by the company, in which hackers were able to obtain a wide range of customer information.

Data obtained for at least some Xfinity customers “may” include usernames, hashed passwords, real names, contact information, date of birth, last four digits of social security numbers, and security questions and answers …

Xfinity says that the data was obtained through a Citrix vulnerability discovered last month.

On October 10, 2023, Citrix announced a vulnerability in software used by Xfinity and thousands of other companies worldwide. Citrix issued additional mitigation guidance on October 23, 2023. Xfinity promptly patched and mitigated the Citrix vulnerability within its systems. However, during a routine cybersecurity exercise on October 25, Xfinity discovered suspicious activity and subsequently determined that between October 16 and October 19, 2023, there was unauthorized access to its internal systems that was concluded to be a result of this vulnerability.

Xfinity notified federal law enforcement and initiated an investigation into the nature and scope of the incident. On November 16, Xfinity determined that information was likely acquired. After additional review of the affected systems and data, Xfinity concluded on December 6, 2023, that the customer information in scope included usernames and hashed passwords; for some customers, other information may also have been included, such as names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers. However, the data analysis is continuing.

If that all sounds a little vague, it is. The company hasn’t yet fully identified what data was obtained for which customers – though it has apparently identified at least some of those affected, as the company has required some customers to reset their passwords.

As with any data breach, there are two immediate concerns: Password security, and phishing attempts.

Many people ignore cybersecurity Rule 1, and use the same passwords for multiple services. Any Xfinity customer who has used the same password for any other website or app should immediately change all of these passwords, taking the opportunity to choose unique, strong ones. This is because the first thing hackers do when they obtain usernames and passwords is try them on a very wide range of other services.

Second, Xfinity customers should be extra vigilant about phishing attempts. Fraudsters may pretend to be from Xfinity, or from other organizations. In short, just because someone seems to have information about you or your account, do not assume they are genuine. You can find more advice about this here.

Finally, if you don’t already use two-factor authentication for your Xfinity account, now would be an excellent time to enable it.

  1. In your account settings, navigate to Xfinity ID and security.
  2. From there, tap Two-step verification to begin the enabling process.
  3. If you don’t already have an email and mobile phone number associated with your account, you’ll be prompted to add and verify them as back-up contact methods. You must have both an email and mobile phone number on the account to enable two-step verification. Note: You can’t use an Xfinity email address.
  4. Once your email and phone number are verified, hit Turn on (on the following page) to enable two-step verification. If your device has biometrics enabled, you’ll be prompted to add another layer of security by using either facial recognition or a fingerprint whenever there’s a sign-in to your Xfinity account.

Once enabled, the Xfinity app will notify you when someone attempts to login to your account, and you’ll need to approve it in the app – usually using Face ID or Touch ID.

We’ll update if any more information on the Xfinity data breach becomes available.

Photo: RoonZ nl/Unsplash

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications