Xfinity has issued a notification to its customers regarding a data security incident that may have compromised certain personal information. The company detailed the nature of the breach and the steps taken to mitigate its effects, along with guidance for customers on safeguarding their data.
The incident traces back to October 10, 2023, when Citrix, a software provider for Xfinity, publicized a vulnerability in one of its products. Citrix acted promptly, releasing a patch to address the issue, but unauthorized access occurred on Xfinity's internal systems between October 16 and October 19. “We promptly patched and mitigated our systems,” said an Xfinity representative. “However, we subsequently discovered that prior to mitigation, unauthorized access had occurred.”
Following the breach, Xfinity notified federal law enforcement and initiated an investigation to assess the extent of the incident. By November 16, it was concluded that some information had likely been acquired during this unauthorized access period. “Our data analysis is continuing, and we will provide additional notices as appropriate,” the representative added.
By the Numbers
On December 6, Xfinity revealed the types of information that were potentially compromised. This included usernames and hashed passwords, with some customers potentially affected at a deeper level. “For some customers, other information was also included, such as names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers,” the statement read.
In response to the incident and to enhance the security of customer accounts, Xfinity has mandated a password reset for users. Customers will experience a prompt to change their password the next time they attempt to log in. “To protect your account, we have proactively asked you to reset your password,” the Xfinity representative explained.
Customers are also advised to adopt additional security measures. “We strongly encourage you to enroll in two-factor or multi-factor authentication,” the representative noted. They also stressed the importance of not reusing passwords across various accounts and recommended that users change any similar information on other platforms.
In light of the incident, Xfinity has partnered with IDX, its incident response provider, to manage customer notifications and support. Customers can reach IDX at 888-799-2560 for assistance, available round-the-clock. Further details regarding the incident can also be found on the Xfinity website at www.xfinity.com/dataincident.
Xfinity expressed its commitment to data security, acknowledging customers' trust and the seriousness of the situation. “We can’t emphasize enough how seriously we are taking this matter,” said the representative. The company assured that they are dedicated to investing in technology, protocols, and expert resources to protect customer data.
To further bolster protection against identity theft and fraud, customers are encouraged to review account statements regularly and monitor their credit reports. Federal laws provide citizens with the right to request a free annual credit report, which can be obtained through multiple channels, including the official website www.annualcreditreport.com.
Customers are also informed about their options should they suspect identity theft. Reporting to the Federal Trade Commission (FTC) and engaging with the three major credit bureaus are crucial steps. The FTC can be contacted at 600 Pennsylvania Avenue NW, Washington, DC, while more information is available at www.identitytheft.gov.
Ultimately, while Xfinity continues to address the aftermath of this incident, they recommend customers take proactive steps in monitoring their information and enhancing their security practices. “We remain committed to continue investing in technology, protocols and experts dedicated to helping to protect your data,” concluded the Xfinity representative.