Comcast’s $117.5 million data breach settlement pays up to $10,000 for documented losses — or $50 with no receipts if you file by August 14

Comcast at the Bud Billiken Parade 2015

Nearly 36 million Xfinity customers had their personal data stolen in October 2023, and Comcast is now paying $117.5 million to settle the class-action lawsuit that followed. The claims window is open, but it closes on August 14, 2025, and anyone who misses the deadline walks away with nothing.

The settlement, reached in federal court, offers two paths. Customers who can document financial harm linked to the breach, such as fraudulent charges, out-of-pocket identity theft costs, or hours spent cleaning up damage, may claim up to $10,000. Those who were affected but lack paperwork can file a simplified claim for a flat $50 payment. Both options require submitting a form through the official settlement website before the deadline. Comcast has not admitted wrongdoing as part of the agreement, which is standard in class-action settlements of this kind.

What happened and what was exposed

Between October 16 and 19, 2023, attackers exploited a critical flaw in Citrix networking software to penetrate Comcast’s internal systems. The vulnerability, tracked as CVE-2023-4966 and known in the security community as “CitrixBleed,” had been publicly disclosed and patched by Citrix on October 10. Comcast’s systems had not yet been updated when the intrusion began six days later.

According to Comcast’s breach notification filed with the Maine Attorney General, the incident affected 35,879,455 people. The stolen data included usernames, hashed passwords, names, contact details, dates of birth, the last four digits of Social Security numbers, and answers to secret security questions.

Partial Social Security numbers, birth dates, and security question answers are the same combination that banks, insurers, and government agencies use to verify identity over the phone or online. Attackers holding all three can attempt account takeovers far beyond Xfinity.

Comcast did not begin notifying affected customers until December 18, 2023, roughly two months after the intrusion. The same incident is recorded in Maine’s master breach log, confirming the dates and scope Comcast reported.

How regulators responded

State attorneys general acted quickly once Comcast’s disclosure went public. Michigan Attorney General Dana Nessel issued a public alert on December 20, 2023, just two days after the notification, urging residents to change their Xfinity passwords immediately and to update credentials on any other account where they had reused the same login. Nessel’s office warned explicitly that stolen credentials could be leveraged to break into banking, email, and social media accounts.

At the time of the original disclosure, Comcast offered affected customers two years of complimentary credit monitoring through Experian. That offer was separate from the settlement fund now available and does not reduce any claim a customer may file.

How the settlement works

The $117.5 million fund was established through a class-action lawsuit filed on behalf of affected customers. As of May 2026, the claims process is open and the firm deadline to submit is August 14, 2025.

Here is what each tier requires:

  • Up to $10,000 (documented losses): You need to show that the breach caused you specific, provable financial harm. Supporting evidence can include bank or credit card statements showing unauthorized charges, receipts for credit monitoring services you purchased yourself, police reports tied to identity theft, or a log of time spent resolving fraud (valued at an hourly rate set by the settlement terms). The more directly you can connect a loss to the Comcast breach, the stronger your claim.
  • $50 flat payment (no documentation needed): If you were part of the affected group but do not have records showing specific losses, you can file a simplified claim. No receipts, statements, or proof of harm are required.

One factor working in claimants’ favor: participation rates in large consumer settlements tend to be low. The Federal Trade Commission has noted in past analyses that only a small fraction of eligible consumers typically file, which means much of a settlement fund can go unclaimed. If relatively few of the 36 million eligible customers submit forms, individual payouts on the $50 tier are more likely to be paid in full. If filing volume is unexpectedly high, flat payments could be reduced proportionally.

What to do before the deadline

If you had an Xfinity internet or cable account in October 2023, start by checking whether you received a breach notification from Comcast by email or postal mail in late 2023. Even if you did not get one, you may still be eligible based on the account records Comcast submitted to state regulators.

For anyone considering the documented tier, the time to gather records is now. Pull bank and credit card statements from late 2023 onward and flag any unfamiliar transactions. Check your credit reports at AnnualCreditReport.com for accounts or inquiries you do not recognize. If you filed a police report or an identity theft affidavit through the FTC at IdentityTheft.gov, keep copies ready to upload.

Whether or not you plan to file a claim, the types of data exposed in this breach warrant caution. Change your Xfinity password if you have not already done so, and update any other account where you used the same password or the same security questions. Enable two-factor authentication wherever it is available. The combination of partial Social Security numbers, birth dates, and security question answers gives attackers enough raw material to attempt identity verification at financial institutions for years.

Why the payout gap matters for 36 million affected customers

The distance between $50 and $10,000 reflects how the settlement distributes its fund. Customers who suffered direct, documentable financial harm are positioned to recover meaningful compensation, while the majority of affected customers, who may not have records tying specific losses to this breach, are limited to the flat payment. For most of the nearly 36 million people in this settlement class, the realistic outcome is either $50 or nothing at all.

A $50 claim takes only a few minutes to file, and the August 14 deadline will not be extended. Anyone who suspects they suffered actual financial damage from this breach should use the time before that date to organize documentation rather than wait.