On 18 December 2023, Comcast-owned Xfinity announced a data breach of their information systems impacting all their clients.[1]  All usernames and an encoded (hashed) version of their passwords were stolen.  A subset of customer names, contact information, Social Security numbers (last 4 digits), and the answers to their secret questions were also stolen.

Details:

This is a follow up to our web page blog post.  All Xfinity customers are at high risk of identity theft due to this breach.  The first recommendation from Xfinity is to change the login password for their Xfinity account, and immediately enable two-factor authentication (2FA).

Due to the loss of personally identifiable information, we recommend the following:

1.     Place a credit freeze with all three of these credit monitoring companies.

a.     Equifax, PO Box 740241 Atlanta, GA 30374 www.equifax.com - 888-378-4329

b.     Experian PO Box 2002 Allen, TX 75013 www.experian.com - 888-397-3742

c.      TransUnion PO Box 1000 Chester, PA 19016 www.transunion.com - 800-888-4213  

2.     Xfinity has not offered credit monitoring services to their customers. If you have been the victim of a recent breach, you may already have a credit monitoring service. Otherwise, here’s a ink to Money Magazine’s recommended services: https://money.com/best-credit-monitoring-services/

3.     Change passwords across the board and ensure you save the updates passwords in an encrypted password keeper service, such as LastPass, 1Password, Keeper, etc.  Do not reuse passwords; each must be unique.

4.     For every service that offers two-factor authentication (2FA), enable this service right away.

5.     Consider an identity theft insurance company (i.e., Lifelock, IdentityForce, IdentityWorks, etc.)

6.     For Xfinity Mobile users, if your phone stops working (calls, text messages, etc.) contact them right away

7.     Order your free credit reports and review them for any unrecognized activity.

o   Annual Credit Report.com - Home Page

Protecting your home and office:  Whenever login credentials have been compromised, assume your home or office has been compromised too. 

Full list of US government tips:

Keep these tips in mind to protect yourself from identity theft:

·       Secure your Social Security number (SSN). Don't carry your Social Security card in your wallet. Only give out your SSN when necessary.

·       Don't share personal information (birthdate, Social Security number, or bank account number) because someone asks for it.

·       Collect mail every day. Place a hold on your mail when you are away from home for several days.

·       Pay attention to your billing cycles. If bills or financial statements are late, contact the sender.

·       Use the security features on your mobile phone.

·       Update sharing and firewall settings when you're on a public wi-fi network. Use a virtual private network

·       (VPN) if you use public wi-fi.

·       Review your credit card and bank account statements. Compare receipts with account statements. Watch

·       for unauthorized transactions.

·       Shred receipts, credit offers, account statements, and expired credit cards. This can prevent “dumpster divers” from getting your personal information.

·       Store personal information in a safe place.

·       Install firewalls and virus-detection software on your home computer.

·       Create complex passwords that identity thieves cannot guess. Change your passwords if a company that you do business with has a breach of its databases.

·       Review your credit reports once a year. Be certain that they don't include accounts that you have not opened. You can order it for free from Annualcreditreport.com.

·       Freeze your credit files with Equifax, Experian, Innovis, TransUnion, and the National Consumer Telecommunications and Utilities Exchange for free. Credit freezes prevent someone from applying for and getting approval for a credit account or utility services in your name.

Conclusions:

We expect 2024 to be even busier than 2023 when it comes to fighting to protect your privacy, corporate information, and your finances.  To combat that, we are creating tailored services for each of our clients to ensure comprehensive protection.  We will also continue to reach out to answer your questions and provide professional recommendations on how to better protect your resources, your identity, and your reputation.

If you have any questions, please contact your Virtual CISO®.  For after-hours support or to report a cybersecurity incident immediately, call us at +1 (800) 853-6431, Extension 1or send an email to us at support@trustedinternet.io

[1] Notice To Customers of Data Security Incident (xfinity.com)