Millions of Comcast's Xfinity customers told to reset their passwords following data breach

Hackers appear to have accessed the company's databases through a security flaw in a third party software platform

Comcast informed customers that hackers have accessed the company's internal systems in October and stolen the personal data of 35.9 million Xfinity customers.
Kristoffer Tripplaar/SIPA USA

A cybersecurity breach at Comcast may have exposed the personal data of 35.9 million Xfinity customers, the Philadelphia-based telecom giant revealed.

In a letter sent to impacted customers Monday, the company said hackers infiltrated their internal systems and gained access to customers' usernames and hashed passwords sometime between Oct. 16 and 19. Hashed passwords are encrypted versions stored on Comcast's servers; the encryption is a precaution that makes it difficult for hackers to determine users' actual passwords.  

Comcast still is recommending that its Xfinity customers reset their passwords and turn on multi-factor authentication as an additional security step for their accounts. The company also advised customers who were part  by the breach to check their credit reports and financial statements for unusual or unauthorized activities.

An undisclosed number of those customers may have also had other personal information exposed, including their names, contact information, dates of birth, the last four digits of their Social Security numbers and the answers to security questions used to verify users' identities when to logging in to Xfinity's website or mobile app.

Federal authorities have been notified about the breach, and Comcast is continuing to investigate, performing its own "data analysis" related to the incident, the company said.

"We are not aware of any customer data being leaked anywhere, nor of any attacks on our customers," a Comcast spokesperson told Variety.

The company is blaming the data breach on a security vulnerability in a third-party software platform from cloud computing provider Citrix that is used by Comcast internally. Although the vulnerability was patched several days after it was detected on Oct. 10, Comcast said they later discovered that there had been "unauthorized access to our internal systems" before the Citrix security flaw was addressed.