Comcast says it has notified federal law enforcement agencies about a data breach that may impact tens of millions of customers.
On Monday, Comcast said it was providing customers of its Xfinity television and broadband services with a notice about the security incident, which involved a technical contractor called Citrix.
The incident happened two months ago, when Citrix told clients about a security exploit that affected thousands of its clients, including Comcast.
The initial announcement was made on October 10, but Citrix didn’t provide clients with a way to fix the issue until October 23, according to Comcast’s notice. Once Comcast was able to implement the patch, it did so, but two days later, the company noticed unusual activity on some of its internal computer systems, suggesting the security issue had already been exploited.
According to Comcast, thieves may have stolen a cache of customer-related information, including usernames, hashed passwords, contact information, the last four digits of a customer’s Social Security number, dates of birth and the answers to their “secret” login questions.
That may not be all the thieves were able to get, Comcast said, affirming that its “data analysis is continuing.”
“Xfinity has required customers to reset their passwords to protect affected accounts,” Comcast said in a statement. “In addition, Xfinity strongly recommends that customers enable two-factor or multifactor authentication to secure their Xfinity account, as many Xfinity customers already do. While Xfinity advises customers not to re-use passwords across multiple accounts, the company is recommending that customers change passwords for other accounts for which they use the same username and password or security question.”
KnowTechie: What Comcast customers need to know about the latest data breach
Comcast said customers who have questions can contact their dedicated call center at 1-888-799-2560, which is open 24 hours a day.
“Customers trust Xfinity to protect their information, and the company takes this responsibility seriously,” a Comcast spokesperson said on Monday. “Xfinity remains committed to continued investment in technology, protocols and experts dedicated to helping to protect its customers.”
Separately, a Comcast spokesperson told reporters that the company was not aware of “any customer data being leaked anywhere, nor of any attacks on our customers.”
“We take the responsibility to protect our customers very seriously and have our cybersecurity team monitoring 24-7,” Comcast spokesperson Joel Shadle said.