Hackers compromised a vulnerability in a third-party vendor that serviced Xfinity, which lead to some customer information being stolen, a state attorney general's report said.
Nearly 36 million people could be impacted by the hack, according to a filing from the Maine Attorney General's office.
On Oct. 10, Citrix announced there was a vulnerability in its software, the filing said. Xfinity patched the system initially, but on Oct. 23 Citrix announced they had another patch of their software to further address the vulnerability.
"However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability," Xfinity said, according to the filing. "We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired."
Xfinity concluded on Dec. 6 that usernames and passwords for some customers were stolen along with names, contact information, last four digits of social security numbers, dates of birth and/or secret questions.
The company says it is still taking a complete stock of what was stolen.
Xfinity is recommending users proactively reset their passwords and said, "and we can't emphasize enough how seriously we are taking this matter."
"Customers trust Xfinity to protect their information, and the company takes this responsibility seriously. Xfinity remains committed to continued investment in technology, protocols and experts dedicated to helping to protect its customers," Xfinity said in a press release.
Comcast, Xfinity's parent company, did not respond to ABC News' request for comment.
Citrix has not responded to ABC News' request for comment.