Xfinity Tells Millions Of Customers To Change Passwords After Alarming Data Breach
As one of the largest ISPs in the country, you might expect Comcast would be on top of every major security flaw in its systems. You'd be wrong, though. This hack happened because Comcast waited too long to patch a critical vulnerability. It's known as Citrix Bleed (CVE-2023-4966) and was disclosed by Citrix on Oct 10. This was a zero-day flaw, meaning it was already in active exploitation in the wild. The flaw allows attackers to bypass password and multi-factor challenges to gain access to active Citrix user sessions. From there, it's a simple matter to elevate permissions and reach into other parts of the system.
Despite the seriousness of the vulnerability, Comcast did not patch its systems for somewhere between six to nine days after disclosure. The company has confirmed that during that period, unauthorized individuals gained access to Xfinity servers and stole substantial user data; it didn't know exactly what data until Dec 6, though. According to Comcast, the hackers made off with user names, real names, addresses, secret questions/answers, birthdates, partial social security numbers, and hashed passwords. This data could be used to augment phishing campaigns or support identity theft.
This wasn't another ransomware attack, which usually comes with a public demand for payment. Comcast didn't even know about the hack for almost a week after it happened, which would make it hard to pay a ransom. So, whoever gained access to Xfinity data wanted the data more than they wanted an upfront payment. Citrix confirmed at least one hacking group has used Citrix Bleed to deploy ransomware, though.