Security News > 2023 > December > Citrix Bleed leveraged to steal data of 35+ million Comcast Xfinity customers
Telecommunications company Comcast has confirmed a breach that exposed personal information of more than 35.8 million of Xfinity customers.
CVE-2023-4966 - an information disclosure vulnerability in Citrix NetScaler ADC/Gateway devices - was disclosed on October 10, when Citrix issued a patch to fix the vulnerability.
Xfinity noted that they "Promptly patched and mitigated [their] systems" after Citrix released additional mitigation guidelines on October 23.
"However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability," the company stated in the security incident notice sent to customers.
Xfinity revealed that the stolen information included usernames and hashed passwords, and that the breach also exposed names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers for some of its customers.
To protect their accounts, customers are advised to change their passwords and to enable two-factor or multi-factor authentication.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-10 | CVE-2023-4966 | Unspecified vulnerability in Citrix products Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server. | 7.5 |