On December 18, Comcast notified customers of a “recent data security incident” with one of its software companies that exposed their personal information to an outside party. In October, someone gained “unauthorized access” to customers’ usernames and hashed passwords for a period of four days. And it gets worse: Comcast says that “for some customers, other information was also included, such as names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers.”

As CBS News reports, the data breach seems to have affected basically everyone subscribed to Xfinity—some 36 million Comcast Xfinity subscribers. The company reported over 32 million internet customers in a recent earnings report; according to the data breach notification Comcast filed with the Maine attorney general’s office on Monday, the October hack affected 35,879,455 people. That’s nearly 36 million, “including residents,” presumably meaning household members of Xfinity subscribers. That makes it hard to pin down exactly how many customers were victims of the breach, but regardless, if you’re an Xfinity subscriber, change your password immediately.

According to Comcast, the company had determined “that information was likely acquired” in the breach back on November 16, and then it took until December 6 to determine that information included usernames, hashed passwords, and so on.

I’m sure there’s a mountain of red tape and legal liability blah blah to wade through before reporting a breach that affects 36 million people—but also, Comcast could’ve potentially told those 36 million people to change their passwords and security questions more than a month ago. The company has given whoever hacked it a full extra month to make use of that compromising information.

The US government has recently been pushing for more cybersecurity regulation, and a new SEC measure on cybersecurity risk management, which just went into effect on December 18, requires companies to disclose “any cybersecurity incident they determine to be material [to investors]” within four business days. While the SEC’s primarily out to protect the stock market here, the rules will hopefully also benefit anyone affected by a serious breach like this one by speeding up the notification process.

Xfinity is now prompting internet subscribers to reset their passwords. If you were impacted, also make sure to change your password on any other service you used the same password for, and make sure to enable two-factor authentication wherever you can. You should also change your security questions and/or enable two-factor authentication on any services where you used the same security questions, since those could potentially be used to gain access to your account even without the password.