File your taxes early, this season and every one after. Fraudulent returns are one of the most common uses of exposed Social Security data.
If fraud has already happened, identitytheft.gov generates a personal recovery plan and pre-fills dispute letters. The data from this breach does not expire.
Place a free credit freeze at Equifax, Experian, and TransUnion. All three.
It takes about 20 minutes and blocks anyone from opening new accounts in your name even with your full information.
Unfreeze when you need credit. Refreeze after.
What you can do now.
Change your Xfinity password and every account that shared it.
Update security question answers on any platform where you used the same ones.
Turn on two-factor authentication everywhere it matters.
A known flaw. Two months of silence. 36 million people. Comcast settled for $117.5 million. If you were among them, you are eligible for payouts starting from $50 and up to $10,000 for losses, $1M theft insurance, and many more. If you have never filed a class action claim, here is a free guide.
Now add the Social Security piece. Last four digits paired with your name, address, and date of birth.
That combination is enough to open credit accounts, pass identity checks, and file a fraudulent tax return in your name.
And that damage can surface months or years after the fact.
The security question answers are worse. Mother's maiden name. First pet. You cannot change what those answers actually are.
Any account where you used the same answers as Xfinity is still open to whoever has this data, today and years from now.
"Hashed passwords" is the phrase Comcast used to make it sound contained. Hashed is not the same as safe.
These passwords can be cracked. If you used that password anywhere else, those accounts are still at risk right now.
That window is the actual damage.
Two months where you had no reason to change your password. No reason to check your credit.
You were exposed and had no idea.
What they took: usernames, passwords, names, contact information, security question answers, and for millions of customers, the last four digits of Social Security numbers.
Then Comcast waited nearly two months before telling anyone.
In October 2023, attackers broke into Xfinity's systems through a flaw in Citrix, a cloud platform Comcast used.
Citrix had already disclosed the vulnerability publicly.
Comcast had not patched it. The door was open before the attackers even arrived.
36 million Comcast customers had their Social Security numbers, names, addresses, and contact info stolen in a breach Comcast knew about and never fixed.
To put that in perspective, that is 1 in every 10 US citizens, and you can be one of them.
Here is what happened:
The note field is the second exposure point. A note that says "insulin" or "therapy" tells a detailed story on its own.
Blank notes or "thanks" do the same job.
Cash App hides transactions by default if you're weighing your options.
The fix starts in settings.
Set transaction visibility to Private and do the same for your friends list.
Check after every major app update. Platforms have reset these settings without notice before.
A formal study later found 41 million notes across 8.5 million users containing health conditions, political beliefs, and substance use.
None of them knew they had published any of it. They were splitting a bill or paying a friend back.
A former Mozilla fellow downloaded 207 million transactions through that API with no special tools.
Separately, someone built a bot that automatically tweeted every Venmo note suggesting a drug purchase.
Real names. Public posts. Both were just using what Venmo left open.
Venmo sets all transactions to public by default.
Who you pay, when, and what you write in the note: visible to anyone.
No login required to access it through the open developer API.
Researchers took a stranger's Venmo transaction notes and reconstructed their home location, their child's school, and their daily schedule.
No breach. No hack. The data was just public.
If the payment app was funded through a credit card, your card issuer may have protections the app doesn't. That is worth checking.
Prevention is still the only reliable defense. The law has not caught up to the scam.
If it happens anyway:
Contact your bank within hours and ask them to attempt a fund recall.
File reports with the CFPB at consumerfinance.gov and the FTC at reportfraud.ftc.gov.
Get a police report, some apps require one to even open a dispute.
Legitimate employers, government agencies, and real companies do not request payment via Zelle, Venmo, or Cash App.
If someone insists on one of these apps specifically, that is the tell.
One rule covers most of it: if someone you don't know personally sends you money and immediately asks you to send some back out, stop.
That is the overpayment scam. The deposit will reverse.
Your money will not come back.
The playbook is consistent: urgency, a believable story, sometimes a fake deposit first, then a request to forward money quickly.
The urgency is not incidental. Panic is the mechanism.
It exists to stop you from pausing long enough to verify anything.
Consumer Reports tested Zelle, Venmo, Cash App, and Apple Cash.
None of them fully reimburse users who were deceived into authorizing a payment. "Authorized" means unprotected.
That is the actual policy at all four.
This is not a loophole scammers stumbled into. It is the target.
The entire scam is engineered to make you press send.
Because the moment you do, federal consumer protection law no longer applies to you.
A retired teacher received $1,500 from a stranger with an urgent story about a child's rent.
She forwarded it out of kindness.
Two days later the original deposit reversed. She was out $1,500 of her own money.
The bank said the same thing: she had authorized it herself.
A 21-year-old got a message from a "research company" offering paid work.
They sent her a check. Told her to buy supplies via Zelle.
The check was fake. The $2,400 she sent was real.
Zelle said nothing could be done. She testified before Congress. Nothing changed.
Here's the legal trick scammers figured out before most people did.
If they steal from you, the bank has to pay you back. If they trick you into sending it yourself, they don't.
That one word, "authorized," is worth billions to fraudsters.
If you banked with an affected institution between 2005 and 2020, you may still be eligible for settlement money.
TopClassActions.com tracks open claims.
The CFPB takes complaints at consumerfinance.gov.
Credit unions and online banks like Ally tend to have more straightforward posting practices.
Before opening any account, ask in writing: "In what order do you process transactions?"
That question alone tells you a lot.