Roughly 35.9 million Comcast Xfinity customers had their personal data stolen in a late-2023 cyberattack, and the company is now paying for it. A $117.5 million class action settlement gives affected customers two paths to compensation: file documentation of specific financial losses and claim up to $10,000 in reimbursement, or skip the paperwork and collect a flat $50 cash payment. The deadline for both options is August 14, 2026.
That may sound straightforward, but the details matter. Here is what actually happened, how the settlement works, and what you need to do to get paid.
What happened in the Comcast breach
Between October 16 and October 19, 2023, attackers exploited a critical vulnerability in Citrix networking software, a flaw known as “Citrix Bleed” and tracked as CVE-2023-4966, to penetrate Comcast’s internal systems. The company disclosed the intrusion in December 2023 and began notifying customers shortly after.
Comcast’s formal breach notification, filed with the Maine Attorney General’s office as required under state law, reported that approximately 35.9 million customer accounts were compromised. (That figure reflects the total Comcast reported to the state; it has not been independently verified.) The scale makes it one of the largest consumer data breaches in recent U.S. history.
The stolen data included usernames, hashed passwords, names, contact information, dates of birth, partial Social Security numbers, and answers to secret security questions. The password exposure is especially dangerous because it enables credential-stuffing attacks, where criminals test stolen login combinations across banking, email, and retail sites. Customers who reused their Xfinity password elsewhere face significantly higher risk.
How the $117.5 million settlement works
The class action lawsuit that followed the breach produced a $117.5 million settlement fund with a two-tier claims structure.
Tier 1: Flat $50 payment. Any eligible customer can file for a $50 cash payment without providing receipts or proof of specific financial harm. You confirm that you were affected by the breach, and that is it. This is the path most claimants will likely take.
Tier 2: Up to $10,000 for documented losses. If the breach directly caused you financial harm, you can seek reimbursement for costs like fraudulent charges, credit monitoring subscriptions, credit freeze fees, or time spent resolving identity theft. Claims in this tier require supporting documentation: bank statements, receipts, police reports, or similar records tying your losses to the Comcast breach.
The filing deadline for both tiers is August 14, 2026. Claims submitted after that date will not be considered.
For context, the math here is worth noting. If every one of the 35.9 million eligible customers filed a Tier 1 claim, the fund would owe nearly $1.8 billion, far more than the $117.5 million available. In practice, class action claim rates are typically low, often in the single digits as a percentage of eligible members. But if participation is higher than expected, individual payouts could be reduced proportionally, a standard mechanism in settlements of this kind.
How to file a claim
Affected customers should have received a notification from Comcast by mail or email containing a unique claim ID and instructions for filing. That notice includes the web address for the official settlement claims portal and contact information for the settlement administrator.
If you believe you were affected but never received a notice, the Maine Attorney General’s breach notification page for this incident links to the customer letters Comcast filed, which contain the settlement website URL and administrator contact details.
When filing, keep these steps in mind:
- For the $50 payment: Confirm your identity and eligibility. No additional documentation is required.
- For up to $10,000: Gather records showing out-of-pocket expenses tied to the breach. Bank or credit card statements showing fraudulent charges, invoices for credit monitoring services, and any correspondence with creditors or law enforcement can all serve as supporting evidence.
- Save copies of everything you submit. Keep your claim confirmation number and any receipts in case the settlement administrator requests follow-up information.
What could reduce your payout
Several factors could affect how much money individual claimants actually receive, and the settlement’s public-facing documents leave some questions unanswered.
The biggest variable is participation volume. As noted above, the $117.5 million fund is finite, and high claim rates would force pro-rata reductions. The Equifax breach settlement offers a cautionary example: its original $125 cash alternative was so popular that the FTC publicly warned claimants they would likely receive far less than the advertised amount.
There is also a documentation gap for Tier 2 filers. Based on a review of the customer notification letters Comcast filed with the Maine Attorney General’s office, those letters do not appear to include detailed guidance on what qualifies as acceptable proof for the higher tier. That creates a practical barrier: people who suffered real losses may not know what evidence to collect, or they may abandon the process when faced with vague claim forms.
Finally, the settlement’s recognized loss period matters. If the eligible timeframe is narrower than the full window of exposure, some customers could find that fraudulent charges or identity theft expenses they incurred fall outside the covered dates.
Why the stolen data is still dangerous
More than two years after the breach, the stolen credentials remain a live threat. Credentials harvested in large-scale breaches routinely surface on dark web marketplaces for years after the initial theft, according to researchers at firms like Recorded Future and SpyCloud that track stolen data circulation. The scale of the Comcast breach, affecting tens of millions of accounts, means the data set is valuable enough to be repackaged and resold repeatedly.
If you have not already taken these steps, do so now:
- Change your Xfinity password and update any other accounts where you used the same credentials.
- Enable multi-factor authentication on every account that supports it.
- Place a fraud alert or credit freeze with the three major credit bureaus (Equifax, Experian, and TransUnion). Both are free and can block new accounts from being opened in your name.
How to protect yourself while the claims window is still open
The $117.5 million settlement fund is real, the deadline is firm, and the only way to collect anything is to file a claim before August 14, 2026. Whether you go for the $50 flat payment or pursue up to $10,000 in documented losses, start now. Gather your records, file early, and keep copies of everything you submit. Beyond filing, continue monitoring your credit reports and financial accounts for suspicious activity. The breach exposed data that criminals can exploit for years, and staying vigilant is the best complement to whatever compensation the settlement provides.
David M. Keller is a finance writer based in Columbus, Ohio, covering personal finance and consumer-focused economic topics. He earned his degree in journalism from Ohio University and began his career reporting on local business and economic trends for a regional media outlet. Since then, he has contributed to a variety of online publications, focusing on clear, practical coverage of topics such as cost of living, debt, and everyday financial decision-making.
