A patch for a serious flaw in Citrix’s NetScaler software was made available on October 10, 2023. The vulnerability, identified by security researchers as CVE-2023-4966 and subsequently dubbed Citrix Bleed, gave hackers the ability to take over authenticated user sessions, effectively using the digital equivalent of a stolen key to enter a door that should have been locked. Before hackers showed up, Comcast had six days to implement the fix. They were unable to complete it in time. Attackers gained access to Xfinity’s systems for four days between October 16 and October 19, during which time they extracted customer data while the patch remained uninstalled.
About 35.8 million people’s personal information was compromised; by some accounts, this number surpassed Comcast’s total broadband subscriber base at the time. almost all Xfinity accounts. not a regional vulnerability or a targeted attack on a particular segment. Nearly all of them. Usernames, hashed passwords, the last four digits of Social Security numbers, dates of birth, contact information, and — for a particularly concerning subset of customers — the answers to security questions.
About two months after the intrusion, on December 18, 2023, Comcast made the breach public. Reporters were informed by the company that it was “not aware of any customer data being leaked anywhere, nor of any attacks on our customers.” By then, ransomware groups were actively using Citrix Bleed as a weapon against other companies, according to cybersecurity researchers at Mandiant, Google’s incident response division. By December, the vulnerability was not hidden, but there is no public evidence that directly connects those groups to the Xfinity intrusion. The sequence that leads to class action lawsuits is the one that occurs between the patch release, the attack window, and the public disclosure.
The resulting lawsuit, which was consolidated under the case name Hasson v. Comcast Cable Communications, LLC, has now been settled by Comcast for $117.5 million. The U.S. District Court for the Eastern District of Pennsylvania has set a hearing for July 7, 2026, in Philadelphia, where the settlement is awaiting final approval. The deadline for filing claims is August 14, 2026. If eligible customers do nothing by that date, they will forfeit their ability to sue for the breach, but they will still be eligible for the three-year identity protection package that is automatically available to the entire settlement class.
There are multiple tiers in the compensation structure. Clients are eligible to receive up to $10,000 if they can provide proof of out-of-pocket expenses related to the breach, such as fees for credit monitoring services, credit freeze charges, identity theft insurance they purchased in response, and fraudulent charges they incurred. Up to five hours of lost time at $30 per hour can also be claimed by those who spent time handling the fallout. There is a flat alternative cash payment of about $50 for those without specific documented losses, though the amount will vary based on the total number of claims filed. The amount per person decreases when participation is high.
Five Days, Four Days, 35 Million Customers: The Story Behind the Xfinity Data Breach Settlement
| Case Name | Hasson v. Comcast Cable Communications, LLC |
|---|---|
| Defendant | Comcast Corporation (operating as Xfinity) |
| Court | U.S. District Court, Eastern District of Pennsylvania |
| Settlement Amount | $117.5 million |
| Breach Dates | October 16–19, 2023 (4-day window) |
| Public Disclosure Date | December 18, 2023 (~2 months after breach) |
| Vulnerability Exploited | Citrix NetScaler “Citrix Bleed” flaw (CVE-2023-4966) |
| Citrix Patch Released | October 10, 2023 (6 days before breach began) |
| Customers Affected | Approximately 35.8 million |
| Data Compromised | Usernames, hashed passwords, partial Social Security numbers (last 4 digits), dates of birth, contact info, security questions and answers |
| Settlement Administrator | Kroll Settlement Administration LLC |
| Claim Filing Deadline | August 14, 2026 |
| Opt-Out / Objection Deadline | June 1, 2026 |
| Final Approval Hearing | July 7, 2026 — Philadelphia |
| Max Cash Payout (Documented) | Up to $10,000 per claimant |
| Alternative Cash Payment | Approximately $50 (no documentation required; subject to pro-rata adjustment) |
| Lost Time Compensation | Up to 5 hours at $30/hour ($150 maximum) |
| Identity Protection Offered | 3 years — CyEx Financial Shield Complete; includes dark web monitoring, 1-bureau credit monitoring, $1 million identity theft insurance |
| Attorney Fees Sought | Up to ~$39.2 million |
| Administration Costs | ~$7.3 million |
| Class Representative Awards | $5,000 each for 11 representatives |
| Comcast’s Position | Denies all wrongdoing; settled to avoid cost and uncertainty of trial |
| Claim Website | comcastbreachsettlement.com |
| Settlement Phone | (833) 319-2401 |
The difference between $10,000 and $50 is important. The majority won’t have any paperwork. In October or December of 2023, the majority of people were unaware that they should begin keeping receipts for credit monitoring services they had specifically purchased in reaction to this particular breach. They may have called their bank, set up alerts, and changed their passwords, but none of that creates the kind of paper trail that appeals to a claims administrator. The practical outcome is that, if they file at all, the great majority of 35.8 million eligible customers will receive roughly $50.
The three-year identity monitoring package offered to all class members through CyEx Financial Shield Complete is perhaps more valuable than the cash payment. Real-time transaction alerts, one-bureau credit monitoring, dark web monitoring, and identity theft insurance up to $1 million are all included. Particularly, three years is important because the information exposed in this breach—security questions, partial Social Security numbers, and dates of birth paired with usernames—doesn’t get any less hazardous over time. Before being utilized, resold, or combined with other stolen data to create more comprehensive profiles, this type of information is kept in illegal markets for years. While monitoring is a reasonable ongoing response, it is not a cure.
Comcast has consistently denied any wrongdoing, portraying the settlement as a business choice to reduce the risk and cost of a trial. That stance is likely strategically sound and compliant with the law. Testimony regarding what Comcast’s IT security team knew about the Citrix vulnerability, when it was discovered, and why a patch that was released on October 10 wasn’t fully implemented before October 16 would have been included in a trial. Talking about that under oath is uncomfortable.
Observing settlements like this go through the legal system gives the impression that businesses benefit more from the resolution than the individuals whose data was stolen. Comcast continues to operate with over 30 million broadband subscribers while making a sizable payment and denying any wrongdoing. If a customer files, they receive a small check and a monitoring package that notifies them when something has already gone wrong. Before the attack started, the vulnerability that made all of this possible was identified and fixed. $117.5 million divided by 35 million people doesn’t fully address the issue that sits awkwardly in the middle of the entire narrative.
