US telecoms giant Comcast has disclosed a major data breach affecting some 35,879,455 American citizens.
The cable internet and television provider disclosed the massive data breach in an otherwise routine data breach filing with the state of Maine. Though the state rules only covered 50,782 citizens in Maine, the cable provider said that the exposure affected tens of millions of customers nationwide.
The issue in question was the Citrix Netscaler critical flaw known as 'Citrix Bleed' (CVE-2023-4966) . That vulnerability allowed attackers to steal session tokens and gain access to Netscaler sessions without authentication.
The flaw, classified as a "remote data exposure" bug was rated as a 9.4 on the CVSS scale and was considered a critical security risk when disclosed. The vulnerability was subject to active exploit before a fix was released.
Comcast says that while it moved to patch the bug in its systems, an attacker was able to exploit the flaw before it could get mitigations in place.
"We subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability," Comcast said in its filing.
"We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired."
Comcast said that it possibly exposed usernames and passwords, though much of that information may have been hashed and thus protected from remedial decryption techniques.
We concluded that the information included usernames and hashed passwords," Comcast said.
"For some customers, other information was also included, such as names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers."
The cable provider is asking its customers to reset their passwords and change their authentication settings to include additional authentication if possible.