Xfinity Citrix Bleed Breach: 35 Million Customers Exposed via Software Flaw

Comcast's Xfinity division disclosed a breach affecting approximately 35.9 million customers resulting from the Citrix Bleed vulnerability, a critical flaw in Citrix networking software that was widely exploited across industries. Attackers accessed customer data including names, contact information, dates of birth, partial Social Security numbers, and hashed passwords. Comcast discovered the breach after patching the Citrix vulnerability, finding evidence that unauthorized parties had accessed systems during the window between public disclosure of the flaw and Comcast's patch implementation. The breach highlighted the persistent challenge of patch management: despite the vulnerability being publicly known and patches available, the time lag in enterprise patching gave attackers a window to exploit the flaw. Xfinity forced password resets for affected accounts and encouraged customers to enable two-factor authentication. The incident affected nearly all Xfinity internet customers, making it one of the largest ISP breaches in US history.

The ramifications of this incident extend beyond the immediate data exposure. Privacy regulators in multiple jurisdictions have opened investigations, and affected individuals are organizing collective action to demand accountability and meaningful remediation. The case highlights systemic weaknesses in how organizations handle personal data and the gap between corporate privacy promises and operational reality.

For impacted individuals, immediate action is critical. Filing a data subject access request forces the company to disclose exactly what data they hold about you, providing the foundation for deletion requests, regulatory complaints, and potential legal action. Below, we outline the specific data types at risk and the concrete steps you can take to protect yourself.