Between October 16–19, 2023, attackers exploited the Citrix Bleed vulnerability (CVE-2023-4966) to gain unauthorized access to Comcast’s Xfinity systems. Citrix had issued a patch on October 10, 2023, but Xfinity’s systems were compromised before the patch was applied. Xfinity disclosed the breach on December 18, 2023, affecting approximately 35,879,455 individuals — nearly all of Xfinity’s approximately 32 million customers plus some former customers. Exposed data included usernames, hashed passwords, and for some customers: names, contact information, last four digits of Social Security numbers, dates of birth, and secret security question answers. Xfinity required all customers to reset their passwords. Comcast later agreed to a $117.5 million class-action settlement. CitrixBleed was widely exploited in late 2023 by multiple threat actors including LockBit ransomware operators, affecting Boeing, Allen & Overy law firm, DP World Australia, and many others. Note: this breach is distinct from the 2024 Comcast/Xfinity incident involving the FBCS third-party vendor, which resulted in an FCC fine.