One flaw was found on Xfinity's in-home authentication page, which allowed customers to pay bills without signing in after proving their identity using a partial home address. Hackers could spoof a customer's IP address and refresh the page, allowing them to figure out the partial address as that one would stay through each refresh.
Comcast disabled in-home authentication after learning of this. You'll need to manually enter your personal information to verify an account.
The other vulnerability lay in the Comcast Authorized Dealers sign-up page. If a hacker that had a customer's billing address brute-forced it -- by trying random four-digit combinations until they happened on the right one -- they could get digits of the customer's Social Security numbers.
The brute-force method was possible because Comcast didn't limit the number of sign-in attempts, but has added a strict rate limit.