Comcast Xfinity Breached via CitrixBleed; 35M Customers Affected

The now-infamous CitrixBleed vulnerability has claimed possibly its biggest kill yet: 35 million customers of Comcast Xfinity.

Since at least August, attackers have been exploiting CVE-2023-4966 (aka CitrixBleed), a 7.5 high-severity vulnerability affecting Citrix Systems' NetScaler ADC and Gateway networking products. Even after it was brought to light in October, many organizations have struggled to comprehensively shore up their systems.

One such organization appears to be Comcast Xfinity. On Monday, the cable giant disclosed a CitrixBleed-enabled breach of its customer data, including usernames and hashed passwords, and, for some, names, contact information, last four digits of Social Security numbers, dates of birth, and security questions and answers.

Xfinity provided the following statement to Dark Reading:

"We are providing notice to customers about a data security incident which exploited a vulnerability previously announced by Citrix, a software provider used by Xfinity and thousands of other companies worldwide. We promptly patched and mitigated the vulnerability. We are not aware of any customer data being leaked anywhere, nor of any attacks on our customers. In addition, we required our customers to reset their passwords and we strongly recommend that they enable two-factor or multi-factor authentication, as many Xfinity customers already do. We take the responsibility to protect our customers very seriously and have our cybersecurity team monitoring 24x7."

What Happened in the Comcast Data Breach

Citrix first disclosed and released a patch for CitrixBleed on Oct. 10, with additional guidance for affected customers following a week and two weeks thereafter. In response, according to a notice to customers, Comcast claims that it "promptly patched and mitigated our systems."

However, the company fell victim to a breach through Citrix lasting from Oct. 16 to 19. Xfinity did not explain this discrepancy in its response to an inquiry from Dark Reading.

In those three days, it seems, attackers were able to exfiltrate much of the data Xfinity has about its customers. And a disclosure filed with the Maine Attorney General's Office reveals the full extent of the damage: 35,879,455 individuals affected.

All Xfinity customers will be prompted to reset their passwords upon their next login attempts. Some customers had already received the prompt days before Monday's disclosure.

The Ongoing Threat of CitrixBleed

Even four months into its exploitation, and two months following its patch, "CitrixBleed represents a significant risk for a number of reasons," says Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest. Last month, ReliaQuest identified five active threat groups, including the LockBit ransomware gang, still picking at it.

"The vulnerability affects a wide scale of devices, is extremely easy to exploit — with available proof of concepts (POCs) in circulation — and can present significant opportunities for threat actors," he explains. He also notes a rumor that ransomware groups have passed around a Python script that automates the entire attack chain.

"Even if organizations have applied the necessary patch for the issue and rebooted," he continues, "session tokens can be accessed from a device's memory, which then can then be used to hijack active sessions. This can effectively bypass authentication and gain unencumbered access to the appliance. This is why it is important to invalidate active and persistent session tokens upon applying the patch."

"Susceptible organizations who fail to take these steps will continue to face a significant risk from financially motivated threat actors — in addition to several other significant threats — until they take action," he says.