Comcast waited as many as 9 days to patch its community in opposition to a high-severity vulnerability, a lapse that allowed hackers to make off with password knowledge and different delicate info belonging to 36 million Xfinity prospects.

The breach, which was carried out by exploiting a vulnerability in community {hardware} offered by Citrix, gave hackers entry to usernames and cryptographically hashed passwords for 35.9 million Xfinity prospects, the cable TV and Web supplier stated in a notification filed Monday with the Maine legal professional normal’s workplace. Citrix disclosed the vulnerability and issued a patch on October 10. Comcast did not patch its community till October 16 at the earliest and October 19 at the newest, a lapse of six to 9 days. On October 18, researchers reported that the vulnerability, tracked as CVE-2023-4966 and by the title Citrix Bleed, had been beneath lively exploitation since August.

“Nevertheless, we subsequently found that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized entry to a few of our inner programs that we concluded was a results of this vulnerability,” an accompanying discover acknowledged. “We notified federal legislation enforcement and carried out an investigation into the nature and scope of the incident. On November 16, 2023, it was decided that info was doubtless acquired.”

Comcast remains to be investigating exactly what knowledge the attackers obtained. To date, Monday’s disclosure stated, info identified to have been taken contains usernames and hashed passwords, names, contact info, the final 4 digits of social safety numbers, dates of start, and/or secret questions and solutions. Xfinity is Comcast’s cable tv and Web division.

Citrix Bleed has emerged as considered one of the 12 months’s most extreme and broadly exploited vulnerabilities, with a severity ranking of 9.four out of 10. The vulnerability, residing in Citrix’s NetScaler Utility Supply Controller and NetScaler Gateway, may be exploited with none authentication or privileges on affected networks. Exploits disclose session tokens, which the {hardware} assigns to units which have already efficiently supplied login credentials. Possession of the tokens permits hackers to override any multi-factor authentication in use and log in to the gadget.

Different corporations which have been hacked by way of Citrix Bleed embrace Boeing; Toyota; DP World Australia, a department of the Dubai-based logistics firm DP World; Industrial and Business Financial institution of China; and legislation agency Allen & Overy.

The title Citrix Bleed is an allusion to Heartbleed, a special critical info disclosure zero-day that turned the Web on its head in 2014. That vulnerability, which resided in the OpenSSL code library, got here beneath mass exploitation and allowed the pilfering of passwords, encryption keys, banking credentials, and all types of different delicate info. Citrix Bleed hasn’t been as dire as a result of fewer weak units are in use.

A sweep of the most lively ransomware websites didn’t flip up any claims of duty for the hack of the Comcast community. An Xfinity consultant stated in an e mail that the firm has but to obtain any ransom calls for, and investigators aren’t conscious of any buyer knowledge being leaked or of any assaults on affected prospects.

Comcast is requiring Xfinity prospects to reset their passwords to shield in opposition to the chance that attackers can crack the stolen hashes. The corporate can also be encouraging prospects to allow two-factor authentication. The consultant declined to say why firm admins did not patch sooner.

Put up up to date to change patch lapse from 13 days to six to 9 days.