Xfinity is the newest in a protracted line of firms to fall sufferer to the Citrix Bleed, mother or father firm Comcast has confirmed, revealing that almost 36 million prospects might have had their information stolen.
The corporate launched a press launch confirming that it had been breached and that delicate buyer information had been stolen.
“Throughout a routine cybersecurity train on October 25, Xfinity detected suspicious exercise and subsequently decided that between October 16 and October 19, 2023, there was unauthorized entry to its inside techniques that was concluded to be a results of this vulnerability,” the press launch Learn .
Abuse of a set bug
Additional investigation confirmed that the attackers managed to steal individuals’s delicate information: “After additional assessment of the affected techniques and information, Xfinity concluded on December 6, 2023 that the client data included usernames and hashed passwords; for some prospects, different data might also be included , similar to names, contact particulars, final 4 digits of social safety numbers, dates of delivery and/or secret questions and solutions.”
The corporate’s prospects should now reset their passwords, Xfinity confirmed. It additionally mentioned it “strongly recommends” customers allow multi-factor authentication (MFA) to safe their accounts. “Whereas Xfinity discourages prospects from reusing passwords throughout a number of accounts, the corporate recommends that prospects change passwords for different accounts for which they use the identical username and password or safety questions,” the announcement concluded.
In late October this yr, cloud big Citrix confirmed earlier studies {that a} crucial vulnerability in a few of their merchandise was being exploited within the wild.
It launched a patch for the bug, urging customers to use it instantly to make sure their safety in opposition to hackers. The vulnerability in query is tracked as CVE-2023-4966. It has a severity ranking of 9.4 and impacts NetScaler ADC and NetScaler Gateway.
A proof-of-concept dubbed Citrix Bleed quickly appeared on GitHub.