If you've been an Xfinity customer at any point and haven't heard about the $117.5 million Comcast data breach settlement, you may have money sitting on the table with a hard deadline approaching. The claims period is open now, managed by Kroll Settlement Administration LLC, and the filing cutoff is August 14, 2026. After that date, no claims will be accepted — period.
This is one of the largest consumer data breach settlements in recent history, covering up to 35 million Xfinity customers whose personal information was exposed in October 2023. Here's everything you need to know about eligibility, how to file, and what this case reveals about corporate cybersecurity accountability.
What Happened: The October 2023 Xfinity Data Breach
The breach didn't happen because of a phishing attack on a careless employee or a brute-force password crack. It happened because of a vulnerability in software Comcast used — specifically, a flaw that allowed unauthorized actors to access internal systems before the company could patch it.
Comcast detected the intrusion in October 2023 but didn't publicly disclose it until December 2023, a two-month gap that became central to the subsequent lawsuit. When the disclosure finally came, the scope was staggering: between 31.6 and 35 million Xfinity customers had their data exposed.
The exposed information included:
- Usernames and hashed passwords
- Contact information (names, addresses, email addresses, phone numbers)
- Dates of birth
- Partial Social Security numbers
- Secret security questions and answers
Hashed passwords aren't stored in plain text, but depending on the hashing algorithm used, they can still be cracked — especially if customers used weak or commonly reused passwords. The partial Social Security numbers are arguably more alarming, as even four digits combined with other leaked data can be enough for fraudsters to piece together a complete identity profile.
The combination of partial SSNs, security question answers, and contact details is particularly dangerous — it gives bad actors the building blocks for identity theft, account takeovers, and social engineering attacks.
The Lawsuit: Hasson v. Comcast Cable Communications LLC
The class-action lawsuit, formally titled Hasson v. Comcast Cable Communications LLC, accused Comcast of failing to adequately protect customer data and of delaying public disclosure of the breach. Plaintiffs argued that the company's negligence left millions of customers exposed to ongoing risks of fraud, identity theft, and financial harm — risks that don't disappear once a breach is patched.
Comcast, for its part, denied any wrongdoing as part of the settlement agreement — a standard posture in class-action resolutions that allows companies to pay out without admitting legal liability. The $117.5 million figure, however, speaks for itself. You don't cut nine-figure checks unless the legal exposure is real.
According to reporting from AOL News, the settlement was reached as both sides sought to avoid the uncertainty and cost of a prolonged trial. A final approval hearing is scheduled for July 7, 2026 — but customers don't need to wait for that hearing to file their claims.
Who Qualifies for the Settlement?
Eligibility is broader than many customers assume. You qualify if you were an Xfinity customer whose data was exposed in the October 2023 breach. Comcast has the records — you don't need to prove independently that your specific data was accessed.
If you received a notification from Comcast/Xfinity about the data breach in late 2023 or early 2024, that's your clearest indicator of eligibility. But even if you didn't receive a notice (notifications sometimes end up in spam or go to outdated email addresses), you may still be eligible based on your account status during the breach window.
As detailed by MSN's coverage of the settlement eligibility requirements, the key question is whether you were an active Xfinity subscriber at the time of the breach and whether your data was part of the exposed dataset.
How Much Can You Claim — and What Are Your Options?
The settlement offers two distinct compensation tracks, and choosing the right one depends on your circumstances.
Option 1: The Flat Cash Payment (Up to $50)
The simplest path: file a claim and receive up to $50 in cash without needing to document anything beyond your identity and Xfinity account information. This is the "alternative cash payment" option, designed for customers who weren't directly defrauded but whose data was still exposed.
The $50 figure is a cap, not a guarantee. Final individual payouts depend on how many eligible claims are filed — if the total claims exceed the settlement fund, payments are proportionally reduced. This is how class-action economics work: file early, because large claim volumes dilute individual payments.
Option 2: Reimbursement for Losses (Up to $150)
Customers who experienced actual harm from the breach can claim more — up to $150 in documented out-of-pocket expenses or up to 3 hours of lost time at $30 per hour.
Qualifying expenses include:
- Fees paid for credit monitoring or identity theft protection services
- Bank fees or charges resulting from fraudulent transactions
- Costs of replacing affected financial accounts or documents
- Time spent dealing with the breach's direct consequences (capped at 3 hours)
The "lost time" provision is meaningful. If you spent hours changing passwords, monitoring accounts, disputing charges, or dealing with suspicious activity following the breach, you can claim compensation for that time without requiring a receipt or bank statement. According to KVUE's breakdown of settlement qualifications, documentation requirements are relatively accessible for most claimants.
How to File Your Claim Before the August 14, 2026 Deadline
Filing is straightforward, but the deadline is absolute. Claims must be submitted by August 14, 2026.
Online Filing
The fastest method is filing through the official settlement website managed by Kroll Settlement Administration. You'll need your Xfinity account information to verify eligibility and submit your claim. The online portal guides you through both compensation options.
Mail Filing
For customers who prefer paper submissions, claims can be mailed to:
Kroll Settlement Administration LLC
P.O. Box 5324
New York, NY 10150-5324
Mailed claims must be postmarked by August 14, 2026 — not received by that date. If you're mailing close to the deadline, use certified mail with tracking to confirm delivery.
As MSN's filing guide explains, the process takes roughly 10-15 minutes for most claimants choosing the flat cash option. Document-based claims will take longer if you need to gather receipts or records.
Who Is Kroll Settlement Administration?
Kroll Settlement Administration LLC is one of the largest class-action settlement administrators in the United States. They're not a law firm or a government agency — they're a neutral third party contracted to handle the logistics of large settlements: receiving claims, verifying eligibility, distributing payments, and handling disputes.
Their involvement is routine in cases of this scale. Kroll has administered settlements in cases involving Equifax, Capital One, T-Mobile, and dozens of other high-profile data breaches. The New York P.O. Box listed for mail submissions is their standard processing address for large consumer settlements.
If you receive any unsolicited communication claiming to be from Kroll or the Comcast settlement that asks for payment, banking information, or unusual personal details, treat it as a scam. Legitimate settlement processes don't require upfront fees or sensitive financial data beyond what's needed to verify your identity and deliver payment.
What This Settlement Actually Means: Analysis
$117.5 million sounds significant, but context matters. Comcast's annual revenue exceeds $120 billion. The settlement represents less than 0.1% of annual revenue — roughly three hours of operating income for a company this size. For the 35 million affected customers, even the maximum $150 claim barely covers the time and stress of dealing with a serious data breach.
This isn't a criticism of the plaintiffs' attorneys — class actions against tech giants consistently face an uphill battle in quantifying diffuse harm. The problem is structural: data breach liability law hasn't kept pace with the scale of modern breaches. When companies face penalties that are mathematically insignificant relative to their size, the deterrent effect is limited.
The two-month disclosure delay is the detail that should concern regulators most. Comcast knew in October 2023 that tens of millions of customers had been exposed. Customers didn't find out until December 2023. During those two months, affected users had no reason to change their passwords, freeze their credit, or monitor their accounts for suspicious activity. That gap represents real, quantifiable harm — and it's the kind of behavior that stronger mandatory disclosure timelines could prevent.
The MSN reporting on the settlement timeline underscores why the April 2026 surge in public attention matters: many eligible customers simply haven't heard about it yet. Settlement administrators and class-action attorneys have strong financial incentives to maximize claim rates (attorney fees are often tied to overall settlement administration), but the practical reality is that millions of eligible customers will miss the deadline out of ignorance, not indifference.
Protecting Yourself After a Data Breach
Whether you file a claim or not, the practical steps for protecting yourself after this type of exposure are the same — and they apply broadly to any breach involving partial SSNs and security question data.
Immediate Actions
- Change your Xfinity password immediately if you haven't already. Use a unique password not reused on any other platform.
- Update your security questions on any account where you used the same answers as your Xfinity account. These answers are now potentially compromised.
- Enable two-factor authentication (2FA) everywhere it's offered, prioritizing email, banking, and social media accounts.
- Place a credit freeze with all three major bureaus (Equifax, Experian, TransUnion) — it's free and prevents new accounts from being opened in your name.
Longer-Term Monitoring
- Monitor your credit reports regularly through AnnualCreditReport.com
- Set up fraud alerts with your bank and credit card providers
- Consider a hardware security key like a YubiKey Security Key for accounts where you want the strongest possible 2FA protection — these physical keys are phishing-resistant in a way that SMS codes are not
- Review your existing accounts for any password reuse tied to your Xfinity credentials
The hashed password exposure is less urgent than the partial SSN leak, but don't dismiss it entirely. If your password was weakly hashed (MD5 or SHA-1 without salting), it may already be crackable by anyone who obtained the database. Treat it as compromised.
Frequently Asked Questions
Do I need proof that my data was accessed to file a claim?
No. The settlement covers all Xfinity customers whose data was included in the breach dataset, regardless of whether you can demonstrate that bad actors specifically accessed your records. Comcast's own records determine eligibility — you just need to verify your account information when filing.
What if I didn't receive a breach notification from Comcast?
You may still be eligible. Notifications were sent to affected customers, but emails get lost, addresses change, and spam filters catch things they shouldn't. Check the official settlement website with your Xfinity account details to verify your eligibility status directly.
Will filing a claim affect my Xfinity service or relationship with Comcast?
No. Participating in the settlement is your legal right as an affected customer. Comcast cannot retaliate against customers for filing claims, and the settlement was structured with consumer participation in mind.
What happens if the settlement isn't approved at the July 7, 2026 hearing?
If the court rejects the settlement, claims filed would not be processed and the case would either return to litigation or be renegotiated. This is unlikely given the settlement's structure and both parties' agreement, but it's the reason claims submitted before the final hearing carry a small element of uncertainty. In practice, courts approve the vast majority of class-action settlements that reach this stage.
Is there any cost to file a claim?
None. The process is completely free. Any website or service asking for a fee to help you file a Comcast settlement claim is a scam. File directly through the official Kroll-administered settlement portal or by mail to the P.O. Box listed above.
Conclusion: Don't Miss the August 14, 2026 Deadline
The Comcast Xfinity data breach settlement is a textbook case of how large-scale corporate data exposure plays out in the American legal system: a massive breach, a significant settlement, and a window of time in which affected customers can seek compensation before the door closes permanently.
If you were an Xfinity customer in 2023, file your claim now. The $50 flat payment won't make anyone whole for a serious breach of this nature, and the $150 maximum for documented losses doesn't fully capture the anxiety and time cost of dealing with exposed identity data. But it's your money, it's available, and the August 14, 2026 deadline won't be extended.
More broadly, this case is a reminder that data breaches carry long tails. The breach happened in October 2023. The settlement fund won't be distributed until late 2026 at the earliest. The downstream effects — fraudulent accounts, identity theft, compromised security questions — may not surface for years. The cybersecurity hygiene steps above aren't optional extras; they're the actual protection that no settlement can substitute for.
For further reading on consumer protection and financial security topics, check out our guide to Best Car Insurance 2026: Rates, Bundles & Claims Guide — another area where consumer rights and complex claims processes intersect.
