Rewterz Threat Update – Xfinity Data Leak Affects More Than 35 Million Users

Severity

High

Analysis Summary

Comcast Cable Communications, operating as Xfinity, has reported a data breach impacting over 35 million individuals. Discovered during a routine cybersecurity exercise in October, unauthorized access occurred from October 16 to 19, 2023, exploiting a Citrix software vulnerability called Citrix Bleed. The compromised customer data includes usernames, hashed passwords, contact details, last four digits of social security numbers, birthdates, and/or secret questions and answers. While Xfinity is still analyzing the extent of the breach, it has informed federal law enforcement and initiated an investigation.

Xfinity assures that its operations were unaffected, and no ransom demands were made. Despite the company urging users to reset passwords for affected accounts, customers reported receiving password reset requests without clear explanations. The company’s proactive password reset measure aims to safeguard accounts. A statement on Xfinity’s website notifies users of the breach and advises password changes upon their next login.

Notably, a year prior, Xfinity faced widespread credential stuffing attacks on customer accounts, bypassing two-factor authentication. Compromised accounts were exploited to reset passwords for other services, including cryptocurrency exchanges like Coin base and Gemini. The recent breach emphasizes the ongoing challenges companies face in securing sensitive customer information and the need for heightened cybersecurity measures.

Impact

• Sensitive Data Loss
• Information Theft

Remediation

• Refer to Citrix Security Advisory for patch, upgrade or suggested workaround information.
• Immediately disconnect or isolate the compromised systems. This may involve shutting down affected servers or segments of the network.
• Conduct a thorough investigation to determine the extent of the breach, including identifying which systems and data were compromised.
• Implement measures to contain the breach and prevent further unauthorized access. This may involve patching vulnerabilities, resetting compromised credentials, and deploying updated security policies.
• Implement multi-factor authentication (MFA) and strong password policies to enhance access control.
• Regularly update and patch software and systems to mitigate vulnerabilities.
• Conduct regular security audits and penetration testing to identify and address weaknesses.
• Encrypt sensitive customer and investor data both in transit and at rest to prevent unauthorized access in case of a breach.
• Ensure secure storage of backups and sensitive information with access restricted to authorized personnel only.
• Develop a robust incident response plan that outlines steps to take in the event of a breach. This should include procedures for containment, investigation, and notification of affected parties.
• Develop a long-term cybersecurity strategy to prevent future incidents, including investing in advanced threat detection and response capabilities.