Current and former Xfinity customers whose data was stolen in a massive 2023 cyberattack now have until September 14, 2026, to claim cash payments or reimbursement of up to $10,000 from Comcast’s $117.5 million class-action settlement. The deadline was extended from an earlier August cutoff, according to the court-authorized settlement site, giving roughly 35.9 million affected account holders an extra month to act.

A Second Chance to Claim: Deadline Extended to September

The revised timeline emerged quietly in recent weeks. The official settlement administrator, Kroll, now lists the online claim deadline as 11:59 p.m. Eastern Time on September 14, 2026, with paper forms requiring a postmark of that same date. Earlier reporting—including a Forbes article from April 2026—had pointed to August 14 as the cutoff. The extension aligns with a rescheduled final approval hearing, now set for August 5, 2026, instead of the previously planned July date.

Comcast agreed to create the fund to settle Hasson v. Comcast Cable Communications, a consolidated class action filed in the U.S. District Court for the Eastern District of Pennsylvania. The company denies any wrongdoing and maintains that its security practices were lawful. But for consumers, the settlement offers a rare, concrete chance at compensation after a breach that exposed usernames, hashed passwords, and, in some cases, much more sensitive data.

What the Hackers Actually Took

Between October 16 and October 19, 2023, attackers slipped into Comcast’s systems through a flaw in Citrix networking hardware that security researchers later dubbed CitrixBleed (CVE-2023-4966). Citrix had released a patch on October 10, 2023, but Comcast did not apply it in time. Once inside, the intruders extracted customer information linked to nearly 35.9 million Xfinity user IDs.

The scope of stolen data varied. For every affected account, the attackers grabbed at least a username and a hashed password. But for a significant subset, the haul also included names, contact details, dates of birth, partial Social Security numbers (last four digits), and answers to security questions. That combination is especially dangerous because it gives criminals the raw materials to reset passwords on other sites, impersonate victims, or commit identity fraud. A hashed password alone isn’t a cleartext credential, but paired with a known birthdate and mother’s maiden name, it can unlock accounts across the web.

Comcast publicly disclosed the breach on December 18, 2023, and forced a password reset for affected accounts. At the time, the company said it was unaware of any customer data being leaked or used in attacks. No public evidence has tied the Xfinity intrusion to any specific ransomware gang, though CitrixBleed was later exploited by affiliates of LockBit and Medusa against other targets.

Your Options: Cash Now or Full Reimbursement Later

The settlement menu has two main paths, plus a safety-net benefit that doesn’t require filing a claim at all.

Claim Type What You Get Documentation Required?
Alternative cash payment An estimated $50 (not guaranteed; subject to pro-rata reduction) No
Documented loss reimbursement Up to $10,000 for out-of-pocket expenses and lost time Yes, receipts, statements, etc.
Identity protection services Three years of CyEx Financial Shield Complete, including $1 million insurance No separate claim needed; use enrollment code from breach notice

The advertised $50 is an estimate, not a promised check amount. The settlement fund will first cover administration costs, attorneys’ fees (class counsel intends to request up to $39.17 million, or one-third of the total), and $5,000 service awards to each of the 11 named plaintiffs. What remains gets divided among valid claimants on a pro-rata basis. If millions of people claim the alternative payment, the actual amount could shrink significantly.

Those who can document specific losses get more protection. Eligible expenses include unreimbursed fraudulent charges, identity-theft costs, credit freeze fees, credit monitoring subscriptions, postage, mileage, and other costs “fairly traceable” to the breach. Lost time—spent, for instance, reviewing bank statements or placing security freezes—is valued at $30 per hour, capped at five hours ($150), and counts against the $10,000 overall limit.

If you submit a reimbursement claim that’s approved, you’ll receive whichever is larger: your documented loss amount or the alternative cash payment you would have otherwise received. You won’t get both.

Who Qualifies — and How to Check

Eligibility isn’t automatic just because you had an Xfinity account in 2023. The settlement class covers U.S. residents (and those in U.S. territories) who received a personalized breach notice from Comcast on or around December 18, 2023. That notice is your golden ticket. It doesn’t matter whether you’re still a customer or canceled your service months ago.

If you can’t find that notice, Kroll’s settlement website offers an ID lookup tool. You’ll need to verify your identity, typically by providing the email address or account details tied to your Xfinity service. Use only the official site—accessible via the case number or links from legitimate news outlets—and avoid any “fast cash” ads or unsolicited messages that might lead to phishing pages.

The settlement also excludes Comcast insiders, judicial officers, anyone who validly opted out (the opt-out deadline was July 1, 2026), and a handful of individuals who previously released claims. For the vast majority of class members, the only remaining deadline that matters is September 14.

Three Years of Free Identity Protection, Regardless

Even if you skip the cash claim entirely, you are still entitled to three years of CyEx Financial Shield Complete identity-defense services. This suite includes single-bureau credit monitoring, dark-web scans, transaction alerts, security-freeze assistance, monthly credit-score tracking, home-title monitoring, bank-account monitoring, lost-wallet assistance, and up to $1 million in identity-theft insurance.

Enrollment codes were distributed with the original breach notice, but help is available for those who misplaced them. The settlement site walks class members through the activation process. Notably, you can pre-enroll before the court gives final approval, though the coverage won’t kick in until after that approval is granted.

Choosing to do nothing—no cash claim, no monitoring signup—still has consequences. You’ll remain eligible to activate the identity services after final approval, but you’ll receive no cash, and you’ll still be bound by the settlement’s release of legal claims against Comcast. In other words, staying silent doesn’t preserve your right to sue later.

How We Got to a $117.5 Million Payout

The legal road from breach to settlement took about two and a half years. After Comcast’s December 2023 disclosure, a wave of class-action lawsuits alleged that the company had failed to implement reasonable security measures, violated the federal Cable Act, and delayed notification. Those cases were consolidated into Hasson v. Comcast Cable Communications in early 2024.

The settlement avoids a trial and any court ruling on whether Comcast was liable. Instead, the $117.5 million fund represents a negotiated compromise. Lawyers for the class argued that affected customers faced imminent risk of identity theft and concrete losses from the breach. Comcast, while denying fault, agreed to settle “to avoid the cost and uncertainty of litigation.”

Consumer advocacy groups have noted that the settlement’s structure—particularly the alternative cash option—is typical of large data-breach class actions. The actual value per claimant is modest, but the real-world benefit often lies in the forced injection of free identity protection for millions of people who might otherwise ignore the risk.

What to Do Now: Step-by-Step

There’s no reason to wait until September. Here’s a practical checklist for current and former Xfinity customers:

  1. Confirm your eligibility. Visit the court-authorized settlement site (search for “Hasson v. Comcast settlement” or use the case number directly) and use the lookup tool if you’ve misplaced your notice. The site is operated by Kroll, the settlement administrator, and is the only place you should enter personal information for a claim.

  2. Decide on a claim type. If you didn’t lose money, file for the alternative cash payment. It takes minutes and requires no receipts. If you incurred expenses—credit freezes, replacement IDs, postage, mileage, or notary fees—gather your documentation. Handwritten notes without supporting paperwork won’t suffice, so collect bank statements, invoices, and receipts.

  3. File online or by mail. The online portal closes at 11:59 p.m. ET on September 14, 2026. Paper forms must be postmarked by that date. Don’t trust third-party “claim assistance” services; they’re unnecessary.

  4. Enroll in identity protection. Even if you file for cash, activate the CyEx monitoring. The enrollment code from your breach notice is required, but the settlement site has guidance if you’ve lost it. These services are separate from the cash claim and don’t reduce your payout.

  5. Secure your credentials everywhere. This step isn’t part of the settlement, but it’s the most important long-term fix. If you reused your old Xfinity password on any other site, change it immediately. Enable multifactor authentication wherever possible. Review security questions on all accounts—especially those that overlap with the compromised Xfinity questions—and replace them with unique, non-memorable answers stored in a password manager.

What Happens Next

The final approval hearing is scheduled for August 5, 2026, at 12:30 p.m. Eastern in Philadelphia. If the judge signs off, the claims administrator will review submissions and begin calculating payments. That process could take months, especially if appeals are filed. No payment date has been set, but checks typically start going out several months after final approval.

The September 14 claim deadline is the last practical action most consumers will need to take. After that, the only task is to watch for updates on the official site and, if you enrolled, keep an eye on the monitoring alerts that might signal trouble tied to the old breach.