Comcast's Xfinity subsidiary has entered the payout phase of its 2023 data breach, with claims opening in April 2026 under a $117.5 million class action settlement. The incident, confirmed by Comcast in December 2023, exposed the personal data of approximately 36 million customers after attackers exploited the Citrix NetScaler vulnerability commonly known as "Citrix Bleed" (CVE-2023-4966) during a four-day window in October 2023.

What Happened

On October 10, 2023, Citrix disclosed a critical vulnerability in its NetScaler ADC and Gateway products, releasing an initial patch and follow-up mitigation guidance on October 23. Between October 16 and October 19, before Xfinity completed mitigation, threat actors obtained unauthorized access to internal systems. Xfinity discovered the intrusion in late October, notified federal law enforcement, and publicly disclosed the incident on December 18, 2023. A consolidated class action lawsuit followed, culminating in a $117.5 million settlement. Affected customers can now file claims using the unique member ID distributed via Comcast's breach notification emails, with a flat estimated payout of $50 per claimant or higher amounts supported by documentation of out-of-pocket losses.

What Was Taken

Xfinity confirmed that attackers likely acquired usernames and hashed passwords for the full 36 million affected accounts. For a subset of customers, the stolen dataset also included full names, contact information, the last four digits of Social Security numbers, dates of birth, and secret questions and answers used for account recovery. The combination of recovery questions, partial SSNs, and birth dates makes this dataset particularly useful for identity verification bypass, SIM swap attacks, and credential stuffing campaigns against unrelated services.

Why It Matters

The Xfinity case is the highest-profile consumer settlement tied directly to Citrix Bleed, cementing the vulnerability's place among the most consequential edge-device exploits of the decade. It demonstrates that even organizations patching within the vendor's recommended window can still suffer breach outcomes if attackers exploit the gap between public disclosure and internal deployment. For defenders, the case reinforces that hashed password leaks combined with static recovery answers create durable credential exposure that does not expire with a password reset. The settlement structure also signals ongoing regulatory and civil liability risk for telecom providers holding large identity datasets.

The Attack Technique

The initial access vector was exploitation of CVE-2023-4966, a sensitive information disclosure vulnerability in Citrix NetScaler ADC and Gateway appliances configured as a gateway or AAA virtual server. The flaw allowed unauthenticated attackers to leak session tokens directly from appliance memory, enabling session hijacking and MFA bypass against authenticated users. Threat actors, including ransomware affiliates tracked by Mandiant and other vendors, weaponized the bug within days of disclosure. In Xfinity's case, attackers operated inside the four-day window between Citrix's initial advisory and Comcast's completion of mitigation, exfiltrating customer data from internal systems before detection.

What Organizations Should Do

Sources: 36M Xfinity customers had their data exposed – here's how to claim your payout - 9to5Mac