Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Privacy

Comcast Discloses Data Breach of Close To 36 Million Xfinity Customers [UPDATE] (techcrunch.com) 40

In a notice on Monday, Xfinity notified customers of a "data security incident" that resulted in the theft of customer information, including usernames, passwords, contact information, and more. The Verge reports: Xfinity traces the breach to a security vulnerability disclosed by cloud computing company Citrix, which began alerting customers of a flaw in software Xfinity and other companies use on October 10th. While Xfinity says it patched the security hole, it later uncovered suspicious activity on its internal systems "that was concluded to be a result of this vulnerability."

The hack resulted in the theft of customer usernames and hashed passwords, according to Xfinity's notice. Meanwhile, "some customers" may have had their names, contact information, last four digits of their social security numbers, dates of birth, and / or secret questions and answers exposed. Xfinity has notified federal law enforcement about the incident and says "data analysis is continuing."

We still don't know how many users were affected by the breach. Xfinity will automatically ask customers to change their passwords the next time they log in to their accounts, and it's also encouraging users to turn on two-factor authentication. You can find the full notice, including contact information for the company's incident response team, on Xfinity's website (PDF).
UPDATE 12/19/23: According to TechCrunch, almost 36 million Xfinity customers had their sensitive information accessed by hackers via a vulnerability known as "CitrixBleed." The vulnerability is "found in Citrix networking devices often used by big corporations and has been under mass-exploitation by hackers since late August," the report says. "Citrix made patches available in early October, but many organizations did not patch in time. Hackers have used the CitrixBleed vulnerability to hack into big-name victims, including aerospace giant Boeing, the Industrial and Commercial Bank of China and international law firm Allen & Overy."

"In a filing with Maine's attorney general, Comcast confirmed that almost 35.8 million customers are affected by the breach. Comcast's latest earnings report shows the company has more than 32 million broadband customers, suggesting this breach has impacted most, if not all Xfinity customers."
This discussion has been archived. No new comments can be posted.

Comcast Discloses Data Breach of Close To 36 Million Xfinity Customers [UPDATE]

Comments Filter:
  • by Anonymous Coward
    Not even salted-and-hashed, just hashed passwords? Seriously? Amateurs.
    • To be fair, I would call the passwords in our databases hashed, even though they are salted hashes.
    • You seem to be joking, but in reality, hashed passwords, even without salt, are far better than just storing them in plain text in a database. I've seen THAT way too many times.

      • Re:Hashed passwords? (Score:5, Informative)

        by nightflameauto ( 6607976 ) on Tuesday December 19, 2023 @10:01AM (#64090885)

        You seem to be joking, but in reality, hashed passwords, even without salt, are far better than just storing them in plain text in a database. I've seen THAT way too many times.

        When I spun up my dealer ordering site, I did salted / hashed password storage. Every single security meeting I've ever had, the same question gets asked, "Can we change that over to plaintext? Dealers want us to tell them their passwords all the time." I've managed to hold my ground on it, but I know it's only because I was here at the inception of the company and am viewed as a founder.

        I know damn good and well that when I retire it'll be about thirty seconds before they try to cook up a "convert to plaintext" scheme for the passwords. That's the mentality that still pervades in the business world. Security-minded folks trying to play whack-a-mole with management's stupidity. Which they make damn near impossible sometimes.

        • Insurance isn't playing along anymore.

        • by lsllll ( 830002 )
          That's easy to solve. You want to know your password? "It's * insert random 20 character password here (which you generated, salted it, and then hashed and stored in your database) *, but it's only good for 6 hours and you have to change it. Make sure you write it down this time!"
          • by ebvwfbw ( 864834 )

            I couldn't believe it when I was at the security office at a Fed agency waiting to be badged. The person came back. Click, Click, looked under her keyboard, type.......look again type...... enter. She had the keys to the HSPD-12 kingdom there. I reported the incident.
            About 6 months later I had hired someone. They reported to me the same thing. I reported it again to a high up security man.

            Union shop. The worker was protected. They didn't care. It has been years though I bet they still do that.

      • You seem to be joking, but in reality, hashed passwords, even without salt, are far better than just storing them in plain text in a database. I've seen THAT way too many times.

        What do people think is going to happen here? Given a set of tens of millions of salted hashed passwords millions of them will be reversed in days. While hashed passwords are better than nothing they sure as hell are not far better or even meaningfully different than plaintext.

        The continued fact people see them as a valid acceptable solution makes hashes MORE dangerous than plaintext passwords. The only thing worse than knowing your system is insecure is thinking it is when it ain't.

        • Here is a helpful Wikipedia article that explains why hashes are better than plaintext. https://en.wikipedia.org/wiki/... [wikipedia.org]

          • Here is a helpful Wikipedia article that explains why hashes are better than plaintext.

            Passwords have insufficient entropy for hashing to matter in any substantive way.

            If your hashed password database stolen and it is worth anything at all to an attacker a substantial proportion of the passwords are going to be reversed.

            • Do you have a source for that?

              Hive's testing showed that very short passwords can be cracked just about instantly, but longer passwords, and more complex passwords, can take significant amounts of time to crack.

              https://tech.co/password-manag... [tech.co]

              • Do you have a source for that?

                Your own source is sufficient: https://www.hivesystems.io/pas... [hivesystems.io]

                Their chart has 5 minute *average* for 8 character password with letters, numbers and symbols.

                See also...
                https://www.statista.com/stati... [statista.com]

                If you have tens of millions of passwords of random people you will easily crack millions of them.

                Hive's testing showed that very short passwords can be cracked just about instantly, but longer passwords, and more complex passwords, can take significant amounts of time to crack.

                One problem is people don't know how to calculate real world entropy and enforce rules that actively reduce the effective entropy of passwords. Every site with a password strength checker I've ever seen in my en

                • Five minutes, times millions of users, is a lot of time to crack passwords. It's certainly not "the same as" plain text, which requires zero time.

  • by quonset ( 4839537 ) on Tuesday December 19, 2023 @06:18AM (#64090625)

    Xfinity will automatically ask customers to change their passwords the next time they log in to their accounts

    Last month I went to pay my bill and received a message to the effect that during this holiday season Xfinity was going to help with account security by requiring people to change their password. This was November so they already knew of the breach and were trying to cover their asses by making it sound as if they were being proactive.

    It was bad enough they kept pestering me for another email address and to add my phone number to my account, you know, just in case, but having to change my password was a no go. It's a secure password which is never used anywhere else and is only stored in two off browser locations (one is for backup). I shouldn't be penalized for their incomptence, especially when they've shown that had I given them all that other information it too would have been stolen.

    I ended up calling their number and paying my bill over the phone. Will probably do so from now on since they can't get their act together.

    • by burtosis ( 1124179 ) on Tuesday December 19, 2023 @08:05AM (#64090717)

      I ended up calling their number and paying my bill over the phone. Will probably do so from now on since they can't get their act together.

      Just change providers, I’m pretty sure Comcast services that area. /s

    • I never log in to Comcast/Xfinity, except in the sense that my email client logs in to retrieve my email.

      I do not access my bill online. It is waaayyyyy too much trouble. I simply get a paper bill and scan it. Takes 1/10th the time it takes to retrieve it online, assuming authentication doesn't fail, which is not uncommon.

      I pay the bill by pushing the money from my bank automatically by eft, which does involve at some point logging in to my bank. I never give Comcast my credit card info or let them acce

  • I mean, that's what you do when hackers break into a system, you fine the victim, right?

  • 10 gigacustomers?
  • The cloud is perfectly secure! We were told that when they promised that over a decade ago, so this breach didn't happen.
    • no it's fake news because comcast/xfinity has sworn up and down that they value your privacy and protect customer data (unless they're selling it for those sweet sweet adbux) So really this is more of a piracy thing than theft.

      can hacking groups be sent DMCA notices?

      • no it's fake news because comcast/xfinity has sworn up and down that they value your privacy and protect customer data (unless they're selling it for those sweet sweet adbux) So really this is more of a piracy thing than theft.

        can hacking groups be sent DMCA notices?

        But..But.. I don't know if you were around when this cloud thing started, but I recall saying that storing your personal data on someone else's server at someone else's company where you are nothing more than just another customer, that your data would not be secure and could not be secure. And that was because we're talking business, which only cares that you pay them, and that has to make a bigger profit every quarter, and is staffed by humans that may or may not care.

        I was descended on like a wildebe

  • Once comcast forced a password change Thunderbird required a new password. There should be a field under "Account Settings" for a password. There is a password manager but then you have to enter a password for the password manager. I created another profile and imported my old data but lost my calendar. This is going to happen again so if anyone knows how to change a password in TB please post a howto or at least post a good reference. Or even recommend a better mail program.
    • The TB failure windows has a "Change Password" button. Click it, then manage any two factor business without getting out of sync (the 15 min good-for time is instantly over if you to it again).
  • Weird that it would get reported as a sub-brand. at the corporate level xfinity is the "doing business as" and xfinity is a case study in failed rebranding.

    • by sjames ( 1099 )

      Sort of, Their business accounts are handled by Comcast, and the separate residential services are under a division they call Xfinity.

  • by NothingWasAvailable ( 2594547 ) on Tuesday December 19, 2023 @12:45PM (#64091203)

    I had a very weird interaction with spammers a couple months ago, around the time this hack happened.

    I was called repeatedly by someone claiming to be Xfinity who wanted me to upgrade services. I called Xfinity back and they told me that nobody from them would call me, and that they hadn't placed the call.

    The next time the spammer called, I told them I didn't believe it was Xfinity. They got indignant and told me how much my last bill was, and when I paid it.

    I called Xfinity back and was connected with their Security department.

    Somebody has had access to their databases for a while.

  • Comcast admin: A user download 1T of files

    Comcast mang: Ban the user now, stop him!

    Comcast admin: someone is accessing 2T data from outside our intranet

    Comcast mang: Why should I care.

  • SMFH (Score:5, Insightful)

    by eriks ( 31863 ) on Tuesday December 19, 2023 @05:47PM (#64091815)

    I just logged into my xfinity account. No prompt to change my password. Their site is a shitshow. Not surprised they got owned. Most of the "leaked" data is pretty ho-hum at this point, since it's all been "leaked" so many times for most of us that it doesn't really matter, but the million dollar question: did the leak include customer IP addresses? TFA doesn't say. I realize that comcast probably already sells that data to the highest bidder, but now if it's "out there" for anyone to grab, anyone can use that data to identify LOTS of people by IP address...

    • Surely that cannot be true since that would mean that VPNs provide some security and I see article after article about how useless they are.

      • by eriks ( 31863 )

        If one already has good security in place, VPNs really can't increase that, but they *can* make it harder to find someone's identity from an IP address, if, and only if, the VPN provider doesn't know who you are. In other words if the VPN provider gets their data exfiltrated, and that data contains IP addresses that are linked to you personally, then you can (potentially) be ID'd by an IP address, just like if your ISP "leaks" that same data. Some VPN providers make a big deal about deleting logs and big

        • It really depends on your situation you can get really crazy paying for things with crypto and gift cards and complicated setups if you want. Most people just need enough protection against aggregation using public data dumps and stuff like that. Nobody should be able to get your IP with a dump from your dog groomer and then figure out you’re unironically a big fan of goatse by checking the IP in another dump. it’s not illegal just private.

  • This won't stop (Score:5, Insightful)

    by RitchCraft ( 6454710 ) on Tuesday December 19, 2023 @06:08PM (#64091881)

    This won't stop until companies are held liable for major vulnerabilities, in this case Citrix. Fine the shit out of them so it actually hurts, perhaps they may spend more than a day or two pen testing their software and stop hiring copypasta programmers from third world countries. This goes the same for companies with lax security procedures such as not patching vulnerabilities, but in this case Xfinity was targeted before the patch was available.

  • Sums it all up.
  • No punishment whatsoever. Not even the mostly useless I.D. protection service provided to their customers for free for a year. WTF? Why would they bother to change if it doesn't cost them anything?

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...