Comcast has confirmed that hackers exploiting a critical-rated security vulnerability accessed the sensitive information of almost 36 million Xfinity customers.
This vulnerability, known as “CitrixBleed,” is found in Citrix networking devices often used by big corporations and has been under mass-exploitation by hackers since late August. Citrix made patches available in early October, but many organizations did not patch in time. Hackers have used the CitrixBleed vulnerability to hack into big-name victims, including aerospace giant Boeing, the Industrial and Commercial Bank of China and international law firm Allen & Overy.
Xfinity, Comcast’s cable television and internet division, became the latest CitrixBleed victim, the company confirmed in a notice to customers on Monday.
The U.S. telecom giant said that hackers exploiting the CitrixBleed vulnerability had access to its internal systems between October 16 and October 19, but that the company did not detect the “malicious activity” until October 25.
By November 16, Xfinity determined that “information was likely acquired” by the hackers, and in December, the company concluded that this included customer data, including usernames and “hashed” passwords, which are scrambled and stored in a way that makes them unreadable to humans. It’s not immediately clear how the passwords were scrambled or using which algorithm, as some weaker hashing algorithms can be cracked.
The company says for an unspecified number of customers, hackers may have also accessed names, contact information, dates of birth, the last four digits of Social Security numbers and their secret questions and answers.
Comcast notes that “our data analysis is continuing, and we will provide additional notices as appropriate,” suggesting additional types of data may also have been accessed.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
The notice doesn’t say how many Xfinity customers have been impacted, and Comcast spokesperson Joel Shadle declined to say when asked by TechCrunch. In a filing with Maine’s attorney general, Comcast confirmed that almost 35.8 million customers are affected by the breach. Comcast’s latest earnings report shows the company has more than 32 million broadband customers, suggesting this breach has impacted most, if not all Xfinity customers.
It’s not yet known whether Xfinity received a ransom demand, how the incident has impacted the company’s operators or whether the incident has been filed with the U.S. Securities and Exchange Commission, as required by the regulator’s new data breach reporting rules. Comcast’s spokesperson would not say.
“We are not aware of any customer data being leaked anywhere, nor of any attacks on our customers,” said Shadle in an email to TechCrunch.
Xfinity says it is requiring that customers reset their passwords and recommends the use of two-factor or multi-factor authentication — which the company doesn’t require by default — for all customer accounts.
Updated with additional comment from Comcast.
Read more on TechCrunch:
- Why extortion is the new ransomware threat
- Do government sanctions against ransomware groups work?
- Why ransomware victims can’t stop paying off hackers
- SEC’s new data breach disclosure rules take effect: what you need to know
Tech gifts you shouldn’t buy your family and friends for the holidays
