Security News > 2023 > December > Citrix Bleed leveraged to steal data of 35+ million Comcast Xfinity customers

Citrix Bleed leveraged to steal data of 35+ million Comcast Xfinity customers
2023-12-20 10:31

Telecommunications company Comcast has confirmed a breach that exposed personal information of more than 35.8 million of Xfinity customers.

CVE-2023-4966 - an information disclosure vulnerability in Citrix NetScaler ADC/Gateway devices - was disclosed on October 10, when Citrix issued a patch to fix the vulnerability.

Xfinity noted that they "Promptly patched and mitigated [their] systems" after Citrix released additional mitigation guidelines on October 23.

"However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability," the company stated in the security incident notice sent to customers.

Xfinity revealed that the stolen information included usernames and hashed passwords, and that the breach also exposed names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers for some of its customers.

To protect their accounts, customers are advised to change their passwords and to enable two-factor or multi-factor authentication.


News URL

https://www.helpnetsecurity.com/2023/12/20/xfinity-breach/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-10-10 CVE-2023-4966 Unspecified vulnerability in Citrix products
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server. 
network
low complexity
citrix
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Citrix 66 2 64 101 46 213