Xfinity internet users may want a refund and a new service provider after reports of an October security breach involving customer data were recently made public.
This includes “names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers” of some customers, according to Xfinity. Users are urged to monitor their credit reports and potential fraud or identity theft using the three major credit agencies, Equifax, Experian and TransUnion.
Some customers received an email about the “data security incident” at around 5 am on December 29.
CBS News reports,
A security breach at Comcast-owned Xfinity has exposed the personal data of nearly all the internet provider’s customers, including account usernames, passwords and answers to their security questions.
Comcast said in a filing with Maine’s attorney general’s office that the hack affected 35.8 million people, with the media and technology giant notifying customers of the attack through its website and by email, the company said Monday. The intrusion stems from a vulnerability in software from cloud computing company Citrix, according to Comcast.
Although Citrix patched the vulnerability in October, Xfinity learned that unauthorized users gained access to its internal systems between Oct. 16 and Oct. 19, revealing customer data. For some people, that included their names, contact information, account usernames and passwords, birthdates, parts of their Social Security numbers and answers to their security questions.
In addition to Xfinity, Citrix provides software to thousands of companies around the world. The previously-announced vulnerability, dubbed “Citrix Bleed,” has also been linked to hacks targeting the Industrial and Commercial Bank of China’sNew York arm and a Boeing subsidiary, among others.
It is unclear what ramifications this incident may have on users of the internet service provider and American national security.
Xfinity sent the following email to customers:
Xfinity Data Security Incident
Notice of Data Security Incident
We are notifying you of a recent data security incident involving your personal information. This notice explains the incident, steps Xfinity has taken to address it, and guidance on what you can do to protect your personal information.What Happened? On October 10, 2023, one of Xfinity’s software providers, Citrix, announced a vulnerability in one of its products used by Xfinity and thousands of other companies worldwide. At the time Citrix made this announcement, it released a patch to fix the vulnerability. Citrix issued additional mitigation guidance on October 23, 2023. We promptly patched and mitigated our systems.
However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability. We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired.
What Information Was Involved? On December 6, 2023, we concluded that the information included usernames and hashed passwords; for some customers, other information was also included, such as names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers. However, our data analysis is continuing, and we will provide additional notices as appropriate.
What We Are Doing. To protect your account, we have proactively asked you to reset your password. The next time you login to your Xfinity account, you will be prompted to change your password, if you haven’t been asked to do so already.
What You Can Do. We strongly encourage you to enroll in two-factor or multi-factor authentication. While we advise customers not to re-use passwords across multiple accounts, if you do use the same information elsewhere, we recommend that you change the information on those other accounts, as well. You can review the “Additional Information” section below for information on how you can further protect your personal information.
More Information. If you have additional questions, please contact IDX, Xfinity’s incident response provider managing customer notifications and call center support, at 888-799-2560 toll-free, 24 hours a day, 7 days a week. More information is available on the Xfinity website at www.xfinity.com/dataincident.
We know that you trust Xfinity to protect your information, and we can’t emphasize enough how seriously we are taking this matter. We remain committed to continue investing in technology, protocols and experts dedicated to helping to protect your data and keeping you, our customer, safe.
Sincerely,
Xfinity
Additional Information
In general, you should remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring your credit reports. You are entitled to a free copy of your credit report annually. To obtain your credit report, visit www.annualcreditreport.com, call toll-free 1-877-322-8228, or mail an Annual Credit Report Request Form (available at www.annualcreditreport.com) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281. You can also purchase a copy of your credit report or contact the three major credit reporting bureaus at:
Equifax
PO Box 740241
Atlanta, GA 30374
www.equifax.com
888-378-4329Experian
PO Box 2002
Allen, TX 75013
www.experian.com
888-397-3742TransUnion
PO Box 1000
Chester, PA 19016
www.transunion.com
800-888-4213You should report any actual or suspected identity theft to the Federal Trade Commission and law enforcement. You can obtain information from the Federal Trade Commission and the three major credit bureaus about additional steps you can take to protect yourself against identity theft and fraud, as well as information on placing security freezes and fraud alerts on your credit report. You can contact the Federal Trade Commission at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; and 1-877-ID-THEFT (1-877-438-4338). This notice was not delayed as a result of a law enforcement investigation.
You may place a security freeze on your credit reports, free of charge. A security freeze prohibits a credit reporting agency from releasing any information from a consumer’s credit report without written authorization. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services. You will need to place a security freeze separately with each of the three major credit bureaus if you wish to place a freeze on all of your credit files. In order to request a security freeze, you will need to supply your full name, address, date of birth, Social Security number, current address, all addresses for up to five previous years, email address, a copy of your state identification card or driver’s license, and a copy of a utility bill, bank or insurance statement, or other statement proving residence. To find out more on how to place a security freeze, contact the credit reporting agencies:
Equifax
P.O. Box 105788
Atlanta, GA 30348
888-298-0045
equifax.com/personal/credit-report-services/credit-freeze/ Experian
P.O. Box 9554
Allen, TX 75013
888-397-3742
experian.com/freeze/center.html TransUnion
P.O. Box 160
Woodlyn, PA 19094
800-916-8800
transunion.com/credit-freezeAt no charge, you can also have the three major credit bureaus place a fraud alert on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it may also delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact the credit reporting agencies:
Equifax
P.O. Box 105069
Atlanta, GA 30348
888-836-6351
equifax.com/personal/credit-report-services/credit-fraud- alerts/ Experian
P.O. Box 9554
Allen, TX 75013
888-397-3742
experian.com/fraud/center.htmlTransUnion
P.O. Box 2000
Chester, PA 19106
800-916-8800
transunion.com/fraud-alertsFor New York residents, the New York Office of the Attorney General can be contacted at The Capitol, Albany, NY, 12224, ag.ny.gov, or 1-800-771-7755.
For North Carolina residents, the North Carolina Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699, ncdoj.gov, or 919-716-6000.
This is a developing story…