Pierluigi Paganini December 19, 2023

Comcast’s Xfinity discloses a data breach after a cyber attack hit the company by exploiting the CitrixBleed vulnerability.

Comcast’s Xfinity is notifying its customers about the compromise of their data in a cyberattack that involved the exploitation of the CitrixBleed flaw.

CitrixBleed is a critical vulnerability, tracked as CVE-2023-4966, in Citrix NetScaler ADC (Application Delivery Controller) software. An unauthorized attacker can exploit the flaw to gain access to sensitive data and systems. The vulnerability was discovered by security researchers at Positive Technologies and disclosed to Citrix in October 10, 2023. Citrix released a patch for the vulnerability on November 15, 2023

Threat actors exploited this vulnerability to hijack existing authenticated sessions and bypass multifactor authentication or other strong authentication requirements. The researchers warn that these sessions may persist after the update to mitigate CVE-2023-4966 has been deployed. 

Security firm Mandiant observed threat actors hijacking sessions where session data was stolen before the patch deployment and subsequently used by the threat actor. 

Xfinity is a brand of Comcast Cable Communications, LLC, which is a subsidiary of Comcast Corporation. Xfinity offers a variety of services, including cable television, internet, telephone, and home security. It is a major provider of broadband internet and cable TV services in the United States.

The company addressed the issue shortly after Citrix disclosed the issue on October, however, they subsequently discovered that before mitigation, there was unauthorized access to some of it internal systems. Threat actors exploited the flaw between October 16 and October 19, 2023.

The company notified law enforcement and launched an investigation into the incident.

“On November 16, 2023, it was determined that information was likely acquired.” reads the notice of a security incident. “On December 6, 2023, we concluded that the information included usernames and hashed passwords. For some customers, other information was also included, such as names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers. However, our data analysis is continuing, and we will provide additional notices as appropriate.”

The company found that the exposed customer data varies for each customer, including usernames and hashed passwords.

The company prompted customers to reset their passwords and recommended they enable multi-factor authentication.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CitrixBleed)