WGNO

Social Security numbers of some Xfinity customers vulnerable in latest data breach: What to know

FILE - Signage for Xfinity, the cable division of Comcast, is displayed in Philadelphia, July 15, 2015. Hackers accessed Xfinity customers’ personal information by exploiting a vulnerability in software used by the company, the Comcast-owned telecommunications business announced this week. In a Monday, Dec. 18, 2023, notice to customers, Xfinity said there was unauthorized access to internal systems as a result of this vulnerability — which was previously announced by software provider Citrix — between Oct. 16 and 19. (AP Photo/Matt Rourke, File)

CHICOPEE, Mass. (WWLP) — A major data breach on Comcast-owned Xfinity has affected more than 35 million customers.

Not only is this breach an example of a dangerous and growing trend among hackers, but it has made millions of Americans very vulnerable.

Earlier this month, Xfinity issued a notice to customers warning them there was unauthorized access to internal systems as a result of this vulnerability — which was previously announced by software provider Citrix — between Oct. 16 and 19.

Xfinity discovered the “suspicious activity” on Oct. 25, and in the following months determined that information was “likely acquired.” On Dec. 6, the company concluded that information included usernames and hashed passwords — and, for some customers, the last four digits of Social Security numbers, account security questions, birthdates, and contact information.

Attorney Steven Weisman, editor of Scamicide.com, says the Xfinity data breach is especially bad for consumers because hackers were able to access the last four digits of people’s Social Wecurity numbers. Hackers can easily figure out the first 5 digits themselves as they relate to where you live and where your card was issued.

“So if a criminal has the last four digits, the first three they can figure out easily, the second set they can get relatively easily, so it puts a lot of people in danger of identity theft,” explained Weisman.

The government started randomizing Social Security numbers to avoid this in 2011.

And these hackers are really pernicious. They didn’t hack into Xfinity per se, but they implanted their malware into software that Xfinity bought. Weisman says these are called “supply chain” hacks and they are a growing problem.

“They put their malware into the legitimate software. A company like Comcast gets some accounting software that they have no reason to think is anyway tainted and bam – the malware is in there and the personal information is stolen,” said Weisman.

Analysis of the breach is still continuing but Xfinity is “not aware of any customer data being leaked anywhere, nor of any attacks on our customers,” the company said in a statement sent to The Associated Press on Dec. 19.

A filing with Maine’s office of the attorney general disclosed that nearly 35.9 million people were affected by this breach. The company declined to confirm a specific number, but noted the filing’s figure represents user IDs.

Data breaches like this one are becoming all too common. Xfinity is asking customers to monitor their credit, change their passwords, and enroll in a multi-step authentication process. People should also freeze their credit and check their credit scores regularly.

There’s no cost to freeze your credit and it protects you from someone using your identity to make large purchases even if they have your social security number. Use the USA.gov website to learn more on how to freeze your credit.

The Associated Press contributed to this report.