IOTW: Xfinity data breach impacts 35 million customers

Comcast Cable Communications, doing business as Xfinity, has disclosed a data breach affecting more than 35 million people. The firm said that, during a routine cyber security exercise in October, it discovered suspicious activity on its internal systems. It subsequently determined that, between October 16 and October 19, 2023, there was unauthorized access to systems via a Citrix software vulnerability known as Citrix Bleed.

Xfinity determined that information was likely acquired, with the customer data in scope including usernames and hashed passwords, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers. The data analysis is continuing, the firm said. Xfinity has notified federal law enforcement and initiated an investigation into the nature and scope of the incident.

In a statement shared with Bleeping Computer, a Comcast spokesperson said the company’s operations were not impacted and that it received no ransom demand after the incident.

Xfinity customers advised to reset passwords and use MFA

Xfinity has required customers to reset their passwords to protect affected accounts. The company has strongly recommended that customers enable two-factor or multi-factor authentication (MFA) to secure their Xfinity account and also advised them to change passwords for other accounts for which they use the same username and password or security question.

“This breach is particularly alarming as the type of data that has been declared stolen indicates that passwords and answers to identifying secret questions and answers have been lost,” commented Darren James, senior manager at Specops Software, an Outpost24 company. Many people re-use the same password and security questions across many platforms, so if this data has been exposed, then it’s not just the Xfinity account that is vulnerable. It’s potentially many other services as well, he added.

“Even though the passwords may have been hashed, depending on the hashing algorithm used and the length of the password, it is still relatively easy to brute force these hashes back to clear text very quickly using relatively inexpensive hardware. It does not appear that the secret questions and answers were hashed at all.”

Citrix Bleed vulnerability actively exploited

The Citrix Bleed vulnerability (CVE-2023-4966) affects Netscaler Gateway and Netscaler ADC products. It allows threat actors to exploit and bypass password requirements and MFA to hijack legitimate user sessions and acquire elevated permissions to harvest credentials, move laterally and access data and resources.

Citrix released a patch for the flaw on October 10, 2023, but attackers have been abusing it as a zero-day vulnerability since late August 2023.

“The Citrix Bleed vulnerability is particularly concerning because it allows unauthenticated remote attackers to gain sensitive information from the servers, such as session authentication tokens,” said Thomas Richards, principal security consultant at Synopsys Software Integrity Group. Once an attacker gains access to the session tokens, they can impersonate the authenticated user and perform actions as that user.

In the instance of Comcast, the attackers were able to hijack a session of an employee and gain access to the same systems that employee has access to, he added. “Buffer overflow vulnerabilities such as this are less common nowadays due to better secure design practices, however, when they occur they are always damaging. Organizations can protect themselves from these threats by installing critical patches by vendors as soon as they are released and monitoring critical systems for malicious traffic.”