Comcast has agreed to establish a $117.5 million settlement fund for current and former Xfinity customers whose personal information was compromised in its October 2023 data breach, with eligible consumers now given until September 14, 2026, to file a claim. Depending on their circumstances, class members can request an estimated $50 cash payment or seek reimbursement of documented losses and time totaling as much as $10,000.
The proposed settlement in Hasson v. Comcast Cable Communications LLC remains subject to approval by the U.S. District Court for the Eastern District of Pennsylvania. Comcast denies wrongdoing and maintains that it did not violate the law.
USA Today brought renewed attention to the claims process this week, while the court-authorized settlement site confirms that both the filing deadline and final approval hearing were recently extended. Those revised dates matter because some older reports still list an August claim deadline and a July hearing.
Simply having an Xfinity subscription in 2023 does not automatically qualify someone for compensation. The settlement class covers people residing in the United States or its territories who were sent an individual notification about the breach, which Comcast publicly disclosed in December 2023.
The clearest indicator is a notice sent on or around December 18, 2023, stating that the recipient's personal information may have been compromised. A person who received that notification can qualify whether they remain an Xfinity customer or have since canceled their service.
Comcast’s settlement administrator, Kroll, also provides an ID lookup process for recipients who cannot locate their notice or claim credentials. Consumers should use the court-authorized Comcast breach settlement site rather than links from unsolicited messages, advertisements, or social-media posts.
The settlement excludes Comcast and certain affiliated parties, judicial personnel involved in the case, people who validly opted out, and some individuals who pursued separate arbitration or previously released their claims. The deadline to object to or exclude oneself from the settlement was July 1, 2026, so the remaining practical deadline for most class members is the claim cutoff.
Online claims must be submitted by 11:59 p.m. Eastern Time on September 14, 2026. Paper claim forms must be postmarked by the same date.
Payments will come from the net settlement fund after deductions for administration, identity-protection services, court-approved legal expenses, service awards, and other approved costs. Class counsel intends to request attorneys’ fees of up to one-third of the fund, or $39.17 million, plus litigation expenses.
The remaining money will be divided among valid claimants. The settlement plan allows payments to be adjusted upward or downward on a pro rata basis, meaning the final alternative cash amount will depend substantially on participation and the value of approved loss claims.
Customers who suffered identifiable costs can instead request reimbursement for out-of-pocket losses and lost time. The combined cap for this route is $10,000 per claimant, but applicants should not interpret that ceiling as a standard payout.
Eligible expenses may include unreimbursed fraud losses, identity-theft costs, fees associated with credit freezes, credit reports, monitoring products, postage, copying, mileage, and other costs reasonably connected to the breach. Expenses generally must have been incurred on or after October 16, 2023, and claimants must explain why they are fairly traceable to the incident.
Supporting evidence can include bank or credit-card statements, invoices, receipts, and telephone records. The administrator warns that self-created evidence, such as a handwritten receipt presented without corroboration, is not sufficient by itself.
Lost time is valued at $30 an hour for up to five hours, in 15-minute increments. Claimants must describe the work performed, such as reviewing accounts, responding to suspected identity misuse, placing security freezes, or taking preventive measures after the breach.
The settlement provides that consumers submitting a loss claim will receive the greater of their approved reimbursement or the applicable alternative cash payment. They will not receive both as separate, additive awards.
The Associated Press reported at the time that Xfinity detected suspicious activity on October 25. By December 6, Comcast had concluded that customer information was likely acquired, and it began notifying affected people later that month.
A filing with the Maine attorney general put the affected population at nearly 35.9 million user IDs. The information involved varied by account but included usernames and hashed passwords, along with some customers’ names, contact details, dates of birth, account security questions, and the last four digits of Social Security numbers.
Comcast required customers to reset their passwords and recommended multifactor authentication after disclosing the incident. The company said at the time that it was unaware of customer information being publicly leaked or used in attacks, but the lawsuits that followed alleged that its security practices had failed to adequately protect subscriber data.
The settlement resolves those consolidated claims without a trial or a ruling that Comcast was liable. Class members who remain in the settlement will release covered legal claims against Comcast, even if they take no action and receive no cash payment.
Class members do not have to submit a cash claim to qualify for these services. Individual enrollment codes are being distributed through settlement emails and mailings, and recipients can pre-enroll before the agreement becomes final.
Consumers who do nothing will still remain eligible to activate the identity-defense services after final approval. They will not, however, receive an alternative cash payment or reimbursement for losses, and they will remain bound by the settlement’s release of claims.
That distinction makes the claim form important even for someone seeking only the estimated $50 payment. Enrollment in monitoring is automatic for eligible class members, but cash is not.
Administrators and security-conscious users should also treat the settlement as separate from the continuing need to secure reused credentials. Anyone who used an old Xfinity password on another service should replace it there as well, enable multifactor authentication where available, and review stored security questions whose answers may overlap across accounts.
Approval would not necessarily produce immediate payments. Claims must still be reviewed, and any appeals would have to be resolved before settlement benefits can be distributed.
No firm payment date has been announced. The more immediate milestone for affected Xfinity customers is September 14, 2026: the last day to submit an online claim or obtain a valid postmark for the paper form.
The proposed settlement in Hasson v. Comcast Cable Communications LLC remains subject to approval by the U.S. District Court for the Eastern District of Pennsylvania. Comcast denies wrongdoing and maintains that it did not violate the law.
USA Today brought renewed attention to the claims process this week, while the court-authorized settlement site confirms that both the filing deadline and final approval hearing were recently extended. Those revised dates matter because some older reports still list an August claim deadline and a July hearing.
Eligibility Follows the Breach Notice, Not the Account
Simply having an Xfinity subscription in 2023 does not automatically qualify someone for compensation. The settlement class covers people residing in the United States or its territories who were sent an individual notification about the breach, which Comcast publicly disclosed in December 2023.The clearest indicator is a notice sent on or around December 18, 2023, stating that the recipient's personal information may have been compromised. A person who received that notification can qualify whether they remain an Xfinity customer or have since canceled their service.
Comcast’s settlement administrator, Kroll, also provides an ID lookup process for recipients who cannot locate their notice or claim credentials. Consumers should use the court-authorized Comcast breach settlement site rather than links from unsolicited messages, advertisements, or social-media posts.
The settlement excludes Comcast and certain affiliated parties, judicial personnel involved in the case, people who validly opted out, and some individuals who pursued separate arbitration or previously released their claims. The deadline to object to or exclude oneself from the settlement was July 1, 2026, so the remaining practical deadline for most class members is the claim cutoff.
Online claims must be submitted by 11:59 p.m. Eastern Time on September 14, 2026. Paper claim forms must be postmarked by the same date.
The Advertised $50 Is an Estimate
Eligible class members can request an alternative cash payment estimated at $50 without presenting evidence of a specific financial loss. That figure is not a guaranteed check amount.Payments will come from the net settlement fund after deductions for administration, identity-protection services, court-approved legal expenses, service awards, and other approved costs. Class counsel intends to request attorneys’ fees of up to one-third of the fund, or $39.17 million, plus litigation expenses.
The remaining money will be divided among valid claimants. The settlement plan allows payments to be adjusted upward or downward on a pro rata basis, meaning the final alternative cash amount will depend substantially on participation and the value of approved loss claims.
Customers who suffered identifiable costs can instead request reimbursement for out-of-pocket losses and lost time. The combined cap for this route is $10,000 per claimant, but applicants should not interpret that ceiling as a standard payout.
Eligible expenses may include unreimbursed fraud losses, identity-theft costs, fees associated with credit freezes, credit reports, monitoring products, postage, copying, mileage, and other costs reasonably connected to the breach. Expenses generally must have been incurred on or after October 16, 2023, and claimants must explain why they are fairly traceable to the incident.
Supporting evidence can include bank or credit-card statements, invoices, receipts, and telephone records. The administrator warns that self-created evidence, such as a handwritten receipt presented without corroboration, is not sufficient by itself.
Lost time is valued at $30 an hour for up to five hours, in 15-minute increments. Claimants must describe the work performed, such as reviewing accounts, responding to suspected identity misuse, placing security freezes, or taking preventive measures after the breach.
The settlement provides that consumers submitting a loss claim will receive the greater of their approved reimbursement or the applicable alternative cash payment. They will not receive both as separate, additive awards.
CitrixBleed Put Nearly 35.9 Million IDs at Risk
The underlying incident occurred between October 16 and October 19, 2023, when attackers gained unauthorized access to Comcast systems through a vulnerability in Citrix networking software. The flaw became widely known as CitrixBleed and is tracked as CVE-2023-4966.The Associated Press reported at the time that Xfinity detected suspicious activity on October 25. By December 6, Comcast had concluded that customer information was likely acquired, and it began notifying affected people later that month.
A filing with the Maine attorney general put the affected population at nearly 35.9 million user IDs. The information involved varied by account but included usernames and hashed passwords, along with some customers’ names, contact details, dates of birth, account security questions, and the last four digits of Social Security numbers.
Comcast required customers to reset their passwords and recommended multifactor authentication after disclosing the incident. The company said at the time that it was unaware of customer information being publicly leaked or used in attacks, but the lawsuits that followed alleged that its security practices had failed to adequately protect subscriber data.
The settlement resolves those consolidated claims without a trial or a ruling that Comcast was liable. Class members who remain in the settlement will release covered legal claims against Comcast, even if they take no action and receive no cash payment.
Identity Monitoring Does Not Require a Cash Claim
The settlement also includes three years of CyEx Financial Shield Complete identity-defense and restoration services. This package includes single-bureau credit monitoring, dark-web monitoring, transaction alerts, security-freeze assistance, monthly credit-score tracking, home-title monitoring, bank-account monitoring, lost-wallet protection, victim assistance, and up to $1 million in identity-theft insurance.Class members do not have to submit a cash claim to qualify for these services. Individual enrollment codes are being distributed through settlement emails and mailings, and recipients can pre-enroll before the agreement becomes final.
Consumers who do nothing will still remain eligible to activate the identity-defense services after final approval. They will not, however, receive an alternative cash payment or reimbursement for losses, and they will remain bound by the settlement’s release of claims.
That distinction makes the claim form important even for someone seeking only the estimated $50 payment. Enrollment in monitoring is automatic for eligible class members, but cash is not.
Administrators and security-conscious users should also treat the settlement as separate from the continuing need to secure reused credentials. Anyone who used an old Xfinity password on another service should replace it there as well, enable multifactor authentication where available, and review stored security questions whose answers may overlap across accounts.
Court Approval Comes Before Any Checks
The final approval hearing is now scheduled for August 5, 2026, at 12:30 p.m. Eastern Time in Philadelphia. The court will consider whether to approve the agreement, legal fees, expenses, and payments to the named class representatives.Approval would not necessarily produce immediate payments. Claims must still be reviewed, and any appeals would have to be resolved before settlement benefits can be distributed.
No firm payment date has been announced. The more immediate milestone for affected Xfinity customers is September 14, 2026: the last day to submit an online claim or obtain a valid postmark for the paper form.
References
- Primary source: Rolling Out
Published: 2026-07-14T18:31:56+00:00
Xfinity customers affected by 2023 hack may qualify for a payout
Comcast will pay $117.5 million to settle a 2023 data breach lawsuit. Here's who qualifies and how to file a claim before September 14.rollingout.com - Related coverage: forbes.com
Comcast $117.5 Million Breach Settlement — Are You Eligible?
Comcast agreed to a $117.5 million settlement after a 2023 breach exposed 35 million Xfinity customers. Eligible class members can claim up to $10,000 by Aug. 14.www.forbes.com