























Data Breach
getty
More than 35 million current and former Xfinity customers have until August 14, 2026, to claim their share of a $117.5 million settlement tied to one of the largest consumer data breaches disclosed in the past two years. Eligible claimants can receive a flat cash payment of roughly $50 with no documentation or up to $10,000 in reimbursements for documented losses and lost time.
The settlement resolves Hasson v. Comcast Cable Communications, LLC, a consolidated class action filed in the U.S. District Court for the Eastern District of Pennsylvania. The lawsuit alleged that Comcast failed to reasonably secure customer data, violated the federal Cable Act and delayed notifying affected customers. Comcast has denied any wrongdoing and agreed to settle, according to the official settlement documents, to avoid the cost and uncertainty of a trial.
The underlying breach occurred between Oct. 16 and Oct. 19, 2023, when attackers exploited an unpatched vulnerability in Citrix NetScaler products known as Citrix Bleed, cataloged as CVE-2023-4966. Citrix had released a fix on Oct. 10, 2023, five days before the intrusion began. According to Comcast's breach notification filed with the Maine Attorney General's office and reported by The Verge, the company did not fully implement the patch in time. Intruders used the flaw to hijack authenticated sessions and extract customer records.
The compromised data varied by customer. For most of the nearly 36 million people listed in the Maine filing, attackers obtained usernames and hashed passwords. For a subset, the exposure also included names, contact information, the last four digits of Social Security numbers, dates of birth and answers to security questions. The combination matters more than any single field. A hashed password is not a cleartext credential on its own. Paired with a known username, a birthdate and a correct answer to “What is your mother's maiden name?” it gives an attacker nearly everything needed to reset accounts elsewhere. That is the kind of credential-stuffing and account-takeover risk Citrix Bleed enabled downstream.
Comcast publicly disclosed the breach on Dec. 18, 2023, roughly two months after the intrusion. The company told reporters at the time that it was "not aware of any customer data being leaked anywhere, nor of any attacks on our customers." Researchers at Mandiant, Google's incident response firm, had by then already documented Citrix Bleed being weaponized by affiliates of the LockBit and Medusa ransomware groups against other targets. No public evidence ties either group to the Xfinity intrusion specifically.
Under the settlement, eligible class members are U.S. residents who received a Comcast breach notice on or around Dec. 18, 2023. They have four benefits to choose from. The first is an alternative cash payment of roughly $50 with no documentation, subject to pro-rata adjustment based on total claims filed. The second is reimbursement of up to $10,000 for documented out-of-pocket losses tied to the breach, including credit monitoring fees, credit freeze and unfreeze charges, identity theft insurance, postage and any unreimbursed fraudulent charges or falsified tax returns. The third is lost time at $30 per hour for up to five hours, capped at $150 and counted against the $10,000 ceiling. The fourth applies to everyone in the class whether they file or not: three years of CyEx Financial Shield identity monitoring with $1 million in identity theft insurance. Enrollment codes shipped with the original breach notice.
The $117.5 million fund will be reduced by up to roughly $39.2 million in attorneys’ fees, about $7.3 million in administration costs and service awards of $5,000 for each of the 11 class representatives. The remainder is what claimants split.
Three dates matter. The opt-out and objection deadline is June 1, 2026. The final approval hearing is scheduled for July 7, 2026 at 10 a.m. ET in Philadelphia. The claim filing deadline is Aug. 14, 2026. Class members who do nothing will give up their right to sue Comcast over the breach but will still receive the automatic identity monitoring.
Current and former Xfinity customers who believe they were affected but did not receive a notice can submit an ID Look Up Form through the official settlement site, administered by Kroll Settlement Administration. Claims can be filed online using the class member ID from the December 2023 notice or by mail postmarked no later than Aug. 14, 2026 to Hasson v. Comcast Cable Communications LLC, c/o Kroll Settlement Administration LLC, P.O. Box 5324, New York, NY 10150-5324.
Anyone whose partial Social Security number, date of birth and security-question answers were exposed should assume those identifiers are in criminal circulation and act accordingly. A credit freeze with Equifax, Experian and TransUnion is free, takes a few minutes and blocks new accounts from being opened in your name. It is a stronger protection than identity monitoring alone, which only alerts you after misuse has already happened.
Expect phishing. Settlements of this size reliably produce a wave of fake claim-assistance emails, spoofed settlement sites and phone calls demanding upfront fees. Kroll is the real administrator. The real site is comcastbreachsettlement.com. There is no fee to file a claim. No legitimate party will call and ask for your Social Security number or bank account to verify your eligibility.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。