Yikes: Xfinity has suffered a data breach exposing the usernames, hashed passwords and potentially even partial Social Security numbers of 36 million internet subscribers

Comcast XFinity logo
(Image credit: SOPA Images / Contributor)

On December 18, Comcast notified customers of a "recent data security incident" with one of its software companies that exposed their personal information to an outside party. In October, someone gained "unauthorized access" to customers' usernames and hashed passwords for a period of four days. And it gets worse: Comcast says that "for some customers, other information was also included, such as names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers."

As CBS News reports, the data breach seems to have affected basically everyone subscribed to Xfinity—some 36 million Comcast Xfinity subscribers. The company reported over 32 million internet customers in a recent earnings report; according to the data breach notification Comcast filed with the Maine attorney general's office on Monday, the October hack affected 35,879,455 people. That's nearly 36 million, "including residents," presumably meaning household members of Xfinity subscribers. That makes it hard to pin down exactly how many customers were victims of the breach, but regardless, if you're an Xfinity subscriber, change your password immediately.

According to Comcast, the company had determined "that information was likely acquired" in the breach back on November 16, and then it took until December 6 to determine that information included usernames, hashed passwords, and so on.

I'm sure there's a mountain of red tape and legal liability blah blah to wade through before reporting a breach that affects 36 million people—but also, Comcast could've potentially told those 36 million people to change their passwords and security questions more than a month ago. The company has given whoever hacked it a full extra month to make use of that compromising information.

The US government has recently been pushing for more cybersecurity regulation, and a new SEC measure on cybersecurity risk management, which just went into effect on December 18, requires companies to disclose "any cybersecurity incident they determine to be material [to investors]" within four business days. While the SEC's primarily out to protect the stock market here, the rules will hopefully also benefit anyone affected by a serious breach like this one by speeding up the notification process.

Xfinity is now prompting internet subscribers to reset their passwords. If you were impacted, also make sure to change your password on any other service you used the same password for, and make sure to enable two-factor authentication wherever you can. You should also change your security questions and/or enable two-factor authentication on any services where you used the same security questions, since those could potentially be used to gain access to your account even without the password.

Wes Fenlon
Senior Editor

Wes has been covering games and hardware for more than 10 years, first at tech sites like The Wirecutter and Tested before joining the PC Gamer team in 2014. Wes plays a little bit of everything, but he'll always jump at the chance to cover emulation and Japanese games.

When he's not obsessively optimizing and re-optimizing a tangle of conveyor belts in Satisfactory (it's really becoming a problem), he's probably playing a 20-year-old Final Fantasy or some opaque ASCII roguelike. With a focus on writing and editing features, he seeks out personal stories and in-depth histories from the corners of PC gaming and its niche communities. 50% pizza by volume (deep dish, to be specific).